Microsoft
MicrosoftMy org is just getting around to enabling password self service reset and we are disappointed that MFA can not be one of two required items.
Personal Emails are not secure at all so thats out, Office Numbers are useless as half my staff are not in an office. Mobile Number isnt great as if I steal the phone I can just answer it, but with MFA behind it I could be ok with that. Same with Security Questions, are to easily researched / guessed but again if I could require MFA then I would be ok with it.
We are so perplexed why we cant save this configuration (see screenshot below). Instead the UI forces you to have enough other options that MFA can be skipped. Stating instead that "You must enable another method to use mobile app or hardware token code". This in my opinion is extremely short sighted. I get it, you dont want to make it so end users get into situations where they dont have MFA and cant reset thier passwords. I say tough for them, they will have to call the helpdesk instead. Let customers decide if they want that or not, reducing security so you dont have to explain the nuance isn't right. As it stands right now I dont think we can use this feature and that is very upsetting.
Also just a side note, "personal email" its VERY unclear where users set that up, where an IT admin can see them, and most importantly shouldnt they be in the area where other authenticator options are set (like security questions and MFA)?
All that aside, I think you guys are knocking stuff out of the park, hopefully you will consider adjusting this to allow for MFA as a requirement. OR how about leaving it that other items must be required BUT a checkbox that says MFA needs to be one of them?
Cheers,
-Eric
