Forum Discussion
Modern Authentication - managing, supporting and deploying systems/devices is a nightmare
lance-aughey, In my office 365 tenant, I (a global admin) go to Portal.Azure.com \ Azure Active Directory \ Users \ Go to their ID \ Authentication Methods tab \ change the phone number to my cell. The MFA prompts now come to my cell. When finished, I put their phone number back in.
Three quarters of my force (49 IDs, small shop). is on the road, in multiple states throughout the US. This has worked well for me. I have not done the password-less-MFA (works with Microsoft Authenticator) for anyone but me, so haven't figured that one out. All my users do the sms text, which has worked out well, even when rebuilding devices for an existing account. Our devices are Azure-AD-Joined, thus requiring the text when logging on with their ID.
MFA is enforced for all IDs in my tenant. We have the E5 license and the EMS-5 license.
There is also a temporary override switch on the MFA, but haven's played with that so can't give an opinion here.
You can use named locations/trusted IPs just fine with O365. But yeah, might be tricky for dynamic IPs. Anyway, why are you using the SMS code option? It's considered the least secure one, and as you've noticed already, not really practical either. The recommendation is to configure the Authenticator app where possible, which among other things can also enable users to do a passwordless login.
VasilMichev regarding the SMS code, my current existence is supporting an environment where most employees can barely use a smartphone (not a knock on them - they're at the middle or tail end or their careers)...hence the hint of hand-holding in my initial post. Most of these employees don't use TXT/SMS on a regular basis...they will make a call 9 times out of 10 before ever thinking of typing (not joking).
Also, I don't believe the Authenticator app is an option for us because we're not actually using MFA; we use MA which, in the eyes of native Outlook, will use SMS and phone entries if provided by the employee (should they complete the SSPR setup/process). Yet, we still have a few long-time employees who have not completed said process (it's been almost a year).
Lastly, unless something has changed recently (the past few days) or it's been there all along (and I don't know about it), Named Locations and Trusted IPs in Azure isn't possible for those of us subscribing to Office 365 Business Premium. I understand that Microsoft 365 BP provides this as do the many levels of Enterprise subscriptions. Unfortunately, we're a small company and the price-point of these are out of reach at this time. It's a shame too -- the small businesses need all the help we can get. I've worked numerous places that subscribed to E3 and, until coming on-board here, never knew there were so many differences between the Business and Enterprise plans (I thought it was merely the license tally of 300 that was the only difference -- boy, was I wrong).
Quite frankly, I wish Microsoft would just STOP it with the ongoing and never-ending changes in names, services, options, features, etc. -- it's all I can do (I'm a one person IT Dept) to keep up with this madness...
a] Receive the "here's what's new" campaigns
b] Review each to understand whether or not it's something we want/need and
c] Determine whether or not it's EVEN part of our subscription
SO many times I've conducted research on such notifications, only to run in circles, ultimately concluding that even though one site/page/portal indicates it's available to BP subscribers, there are an equal amount of them that suggest otherwise. :0/
- The texting etc has nothing to do with Modern Auth. You have to have MFA on. If your not using MFA the only time you would need to use MFA in anything o365 related would be to connect a device to windows hello.
Well configure the phone call method then, really anything is better than SMS. And yes, you will need Azure AD Premium for the trusted IPs functionality, as it's considered part of CA.
