question

JS-4632 avatar image
0 Votes"
JS-4632 asked JS-4632 answered

Azure MFA best practices - Removing phone and text as an option

We're looking to update and improve our MFA security settings for our Azure portal.

Objectives:
1) All Azure AD users can only login with MFA through A) Authenticator App and/or B) Yubikeys

Problem:
1) When registering a device to for MFA, azure asks for a phone number and without it you cannot progress in registering the device for MFA. Our issue with this is that SIMs are relatively easy to virtually duplicate and weaken MFA as a security feature. We want to make sure that each user can only access the azure portal using an Authenticator app and or a Yubikey.

Question:
How do we disable Azure asking for phone number as an authentication backup method? Without providing a phone number to text it won't let our users go forward with finalizing a device for MFA setup.

Potentially Important Information:
Our license type is: Azure AD Free

azure-active-directoryazure-ad-multi-factor-authentication
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

3 Answers

TKujala avatar image
0 Votes"
TKujala answered

Hi @JS-4632,

Hopefully, this point you in the right direction.

https://docs.microsoft.com/en-us/answers/questions/751070/how-do-you-require-the-authenticator-app-in-azure.html

5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

JamesTran-MSFT avatar image
0 Votes"
JamesTran-MSFT answered

@JS-4632
Thank you for your post!

When it comes to users being prompted to add a phone number, can you see if disabling the "Call to phone" and "Text message to phone" verification options help resolve your issue?
199091-image.png


If the Per-User MFA settings don't resolve your issue, can you see if your Azure Tenant is registered for Combined Registration? If so, you should be able to set the combined security information registration experience feature to "None". For more info.
199064-image.png

You can also check if your tenant is enabled for SSPR, since the phone number could be a required for SSPR purposes and not MFA.
199028-image.png

When it comes to having multiple methods of authentication this should also prevent users from being accidentally locked out of your Azure Active Directory tenant due to the loss of a password, YubiKey, or access to their MS Authenticator.


Additional Links:
Unable to reset password and access authenticator app
Manage emergency access accounts in Azure AD
A user or an administrator forgot his or her password in Office 365, Azure, or Intune


I hope this helps!


If you have any other questions, please let me know.
Thank you for your time and patience throughout this issue.

Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.


image.png (69.7 KiB)
image.png (24.6 KiB)
image.png (49.0 KiB)
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

JS-4632 avatar image
0 Votes"
JS-4632 answered

Oh wow! Both of your answers were fantastic! Thanks so much to you both.

5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.