Upcoming changes to managing MFA methods for hybrid customers

Hi Jan, thanks for the good question! In the previous blog we explained how users have two distinct sets of phone numbers: 

• Public numbers, which are managed in the user profile and currently only used for MFA if the method is configured for MFA but the corresponding authentication number is empty.
• Authentication numbers, which are used for MFA, managed in Azure AD  and always kept private.

As part of this change starting Feb 1, Microsoft will copy synced users' public numbers over to their corresponding authentication numbers only if the public number is currently used for MFA and the corresponding authentication number is empty. That way, all users will continue performing MFA with the same number, but if the user happened to be calling their public number, they would now be calling their authentication number, which is more secure. 

Additionally, in order to give customers a few months to transition to managing authentication methods directly in Azure AD, we will keep public and authentication numbers that are used for MFA in sync until May 1. Subsequent updates to a public number will be copied to the corresponding authentication number as follows: 

1. For synced users, if the public number and corresponding authentication number are the same, also update the authentication number. 
2. For synced users, if the public number and corresponding authentication number are different, do not update the authentication number (because the authentication number is already out of sync and being used for MFA).
3. For synced users, if the public number is deleted, do not delete the corresponding authentication number. Admins should delete authentication numbers directly if necessary. 

Admins cannot opt out of this copy task. Hope this helps answer your question!