We’re thrilled to announce two key updates to how you manage your authentication experiences! The General Availability of Converged Authentication Methods and Public Preview of a modernized version o...
Updated Mar 23, 2023
Version 1.0
Blog Post
Hello,
I have laborated a lot and migrated multiple tenants to the new Authentication methods.
What i found was that if you have more then 2 secondary methods enabled in your tenant in the new Authentication methods in Azure AD, new users can press the "user another method" when signing in for the first time and chose SMS (or any of the other) as their primary method. This is even if you untick "allow sign in" under SMS.
Sure, the new system-preferred MFA setting that is currently being rolled out will (after 2-6 hours after the new user has logged in) kick in if enabled to enforce the strongest of the method the user signed up with.
However, this setting was not available until very recently. We still want to use SMS or Email as a "secondary" method for the password reset functionality but we wish for the user to only see Microsoft Authenticator as their primary option (first time sign in) and not the "user another method" on the first option for sign ins. In the second step we wish for the user to be able to select email, sms or another secondary method we have enabled (currently only sms and email seem to work).
Is this possible to address?
I did a feedback submission a while back (early 2023).