Forum Discussion
MFA, Can not change from SMS to Authenticator app
Hello,
I have an issue with MFA within my tenant. We have been using SMS based MFA for some time now. We would like to move to the Microsoft Authenticator App for MFA.
But for some reason, when a user goes in to his / hers "security info" page. They see as the "Default sign-in method:" as "Phone text".
The authenticator app is configured for a user, they can not set is as default.
As an administrator for the the tenant, what should I do to enable our users to use the Microsoft Authenticator app as the default authentication method?
- Hi,
I went and did some more research on the Azure admin center. Found out that in the "Security" section -> "Manage" -> "Authentication Methods" -> Microsoft Authenticator was turned off.
After enabling it, I can now change the default sign-in method.
Thanks for your help!
Hello, the easy and quick way is to enable Security defaults Azure Active Directory security defaults | Microsoft Docs (only the Authenticator app) but if you're using a subscription with conditional access for more granular control you should enter the Azure AD MFA settings to verify the authentication methods you provide to your users Configure Azure AD Multi-Factor Authentication - Azure Active Directory | Microsoft Docs
Set up the Microsoft Authenticator app as your verification method - Azure AD | Microsoft Docs
- vtekfiCopper Contributor
ChristianJBergstromThanks for the reply.
I checked and confirmed that Security defaults is turned on. There is no conditional access set up. All licenses are either Business Basic or Business Standard. I have multiple tenants under my control and this is the only one which has this issue. Like said, users can setup the Microsoft Authenticator app, but can not se it as the default sign-in method.
Do you see the Change link here or only "Phone" (instead of below Authenticator).
https://mysignins.microsoft.com/security-info
What makes me wonder is "these free security defaults allow registration and use of Azure AD Multi-Factor Authentication using only the Microsoft Authenticator app using notifications."
Thinking you might hit a bug or something. Perhaps raise a case with Microsoft?
- IftyMM_06Brass ContributorThere is an even easier solution.
I tried Clerk Chat. They enable a non-voip number on Teams and I get all my MFA codes on that number directly on teams.
It's really handy. 😊- Des_ShielsCopper Contributor
Unless you're using Conditional Access Policies to require MFA to log into Teams as well via Modern Auth client Apps - then you're in a world of hurt as you'll need to Authenticate via MFA in order to log into Teams to get your codes (chicken and egg scenario)