Forum Discussion

MrWhiteFr's avatar
MrWhiteFr
Copper Contributor
Jun 28, 2023

O365 - MFA - SMS deletion - question about alternatives

Good morning,

 

First of all sorry if my English is not good, I go through a translator.

 

Concerning Office 365, Microsoft announces very soon the end of the MFA by voice and sms (in summary: removal of the channel by telephone network operator because not secure).

https://m365admin.handsontek.net/changes-to-the-registration-campaign-feature-in-azure-ad/

 

Microsoft strongly recommends the use of Microsoft Authenticator, available only on smartphones.

 

So far I have seen that we can exclude users from the "change method" campaign. But I imagine that at some point this will no longer be possible (as was the case for the transition to modern authentication).

 

Problem: Legally impossible to impose the use of smartphones by our customers. However Microsoft Authenticator is not available on PC.

 

I have seen other solutions such as ADFS with authent by Certificate, but with our small customers it will not pass.

 

Currently I use this application solution with OTP code for small customers, which has the advantage of being installed on a PC unlike Microsoft Authenticator:

 

https://deepnetsecurity.com/otp-authenticator-app/

 

Issues :

 

1 - Will this type of application (OTP challenge) continue to operate based on Microsoft's actions this summer aimed at strengthening the security of their authentication?

 

2 - Do we know until when we can exclude users from the "change of method" campaigns planned from  July 10, 2023 ?

 

Thanking you in advance for your answers

  • Microsoft is not disabling the voice/SMS methods currently, they are simply recommending that you switch to another method, where possible. You can opt out of the changes, and for the time being, there is no date that you should be concerned with.
    • MrWhiteFr's avatar
      MrWhiteFr
      Copper Contributor

      Kidd_Ip 

      Hello gentlemen,

       

      First of all, thank you for your reassuring feedback.

       

      On the other hand, if today Microsoft does not remove the MFA by SMS, we can be sure that it will happen in the medium term. This is what happened for the obligation to switch to Modern authentication.

       

      We can see here in the post of mr Alex Weinert the firm intention of Microsoft to rule out the use of SMS:


      https://techcommunity.microsoft.com/t5/microsoft-entra-azure-ad-blog/it-s-time-to-hang-up-on-phone-transports-for-authentication/ba-p/1751752

       

      Also this MFA method change campaign on July 10, 2023 bears witness to this.

       

      The problem is that switching methods for a large number of users can take time. So if we had an idea of the timeframe that would help us a lot.

       

      Does anyone have any idea when Microsoft will completely cut this method? in 6 months ? 1 year ? 2 years ?

       

      Have a nice day and thank you in advance

      • VasilMichev's avatar
        VasilMichev
        MVP
        When they do decide to pull the plug on it, they will announce it well in advance, including on the Azure AD blog you referenced above.

Resources