question

JH-1642 avatar image
0 Votes"
JH-1642 asked JH-1642 commented

How to require the Microsoft Authenticator app for login for specific users

How do I prompt for and require a specific group of users to set up the Microsoft Authenticator app before logging in? I can require users to set up a phone number using either a conditional access policy or on a per-user basis, but I do not wish for my users to use a phone number for MFA, as phone verification is less secure and less convenient. I am aware that I can use "Enable Security Defaults" to require the Authenticator app for all users, but I cannot use this policy because I need it to apply to only a certain subset of users, not all of them.

azure-ad-multi-factor-authenticationazure-ad-conditional-access
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

CristianSPIRIDON72 avatar image
1 Vote"
CristianSPIRIDON72 answered JH-1642 commented

Hi @JH-1642,

MFA verification options can be set per tenant and will be the same for all users that are enabled for MFA.
I don't see anywhere in Azure docs that you can have different MFA verification options for different users.

To set MFA verification options or enable/disable users for MFA you can go to following link:
https://account.activedirectory.windowsazure.com/UserManagement/MfaSettings.aspx

And any CA you set will apply on top.

Hope this helps!

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

I see not entirely what I was looking for but it gets me part of the way there. I was hoping to avoid having to hassle my long-time users who only have phone MFA, but perhaps this is the incentive to do so. For all the emphasis Microsoft puts on using modern, secure authentication it sure would be nice to have the option to require the Authenticator app for new users while gradually rolling it out to legacy users.

Thank you very much!

1 Vote 1 ·