Forum Discussion
Solved
Why is MFA requiring App Authentication & Not Allowing User to Select Phone Verification Method
Hi:
I setup MFA for the organization using: https://docs.microsoft.com/en-us/microsoft-365/admin/security-and-compliance/set-up-multi-factor-authentication?view=o365-worldwide
Then I also enabled MFA for all users at Settings > Settings > Azure multi-factor authentication
Now when users try to logon, it's requiring them to use the app verification method, i.e. the drop-down only has app verification without option to change it to phone verification. I want them to be able to choose phone verification so they can get code sent to mobile phone via SMS.
Thank you!
OK, so Security Defaults is why this is happening. You will see from this page - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/concept-fundamentals-security-defaults - under deployment considerations, and as shown in the image below;
Security Defaults only allows notification through the mobile app.
I'm not a great fan of the security defaults as it gives you very little control over things and is not granular. I would recommend setting up MFA by using Azure AD Conditional Access policies instead. You will need an Azure AD Premium P1 subscription for all of your users to achieve this however.
Did you setup the Security Defaults which are referenced in the link you posted?
Also, when you set it up from the second option, which of the verification options in the Service settings options did you select as shown below?
Yes, I did setup the Security Defaults in Azure.
For the MFA service settings, I did not change, i.e. I left the defaults as shown in following screenshot:
OK, so Security Defaults is why this is happening. You will see from this page - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/concept-fundamentals-security-defaults - under deployment considerations, and as shown in the image below;
Security Defaults only allows notification through the mobile app.
I'm not a great fan of the security defaults as it gives you very little control over things and is not granular. I would recommend setting up MFA by using Azure AD Conditional Access policies instead. You will need an Azure AD Premium P1 subscription for all of your users to achieve this however.
