Forum Discussion
MFA/2FA for users - do not not allow change "Security info"
We have enabled MFA for the bigger part of our users and noticed a few misconfigurations. We would like to prevent users from changing their own "security info" so only admins could enter their mobile phone numbers for MFA.
Why?
We noticed some users using non-company-owned mobile phone numbers for MFA and this is a security hole that is not acceptable by company policies. Check screenshots.
Also, we would like to use the same phone number that is provided in the user's contact information on the o365 user's card. But in the Azure portal, there is a second setting to add a mobile phone number for the MFA authentication method. Is there an option to use the phone number provided in the o365 users' contact information?
Why?
Imagine when our HR manager adds a new user to o365 and we as admins need to manually add a mobile phone number via azure admin portal at users authentication method settings.
- You can use Authentication strenghts to manage the methods authorized for MFA purposes.
https://learn.microsoft.com/en-us/azure/active-directory/authentication/how-to-authentication-methods-manage
In January 2024, the legacy admin experience will be replaced by Authentication Strenghts:
https://techcommunity.microsoft.com/t5/microsoft-entra-azure-ad-blog/authentication-strength-choose-the-right-auth-method-for-your/ba-p/2365674
IHMO, it is a best practice to let user reset their password / authentication methods (of course, if you manage the available methode) - Not possible to restrict this as far as I know. If your company policy is afraid or ”SIM hijacking”, consider not allowing SMS as an authentication method at all. Use Microsoft Authenticator or securitt keys.
