Forum Discussion
Why is MFA requiring App Authentication & Not Allowing User to Select Phone Verification Method
OK, so Security Defaults is why this is happening. You will see from this page - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/concept-fundamentals-security-defaults - under deployment considerations, and as shown in the image below;
Security Defaults only allows notification through the mobile app.
I'm not a great fan of the security defaults as it gives you very little control over things and is not granular. I would recommend setting up MFA by using Azure AD Conditional Access policies instead. You will need an Azure AD Premium P1 subscription for all of your users to achieve this however.
Did you setup the Security Defaults which are referenced in the link you posted?
Also, when you set it up from the second option, which of the verification options in the Service settings options did you select as shown below?
Yes, I did setup the Security Defaults in Azure.
For the MFA service settings, I did not change, i.e. I left the defaults as shown in following screenshot:
ā
OK, so Security Defaults is why this is happening. You will see from this page - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/concept-fundamentals-security-defaults - under deployment considerations, and as shown in the image below;
Security Defaults only allows notification through the mobile app.
I'm not a great fan of the security defaults as it gives you very little control over things and is not granular. I would recommend setting up MFA by using Azure AD Conditional Access policies instead. You will need an Azure AD Premium P1 subscription for all of your users to achieve this however.
Thank you! After disabling Security Defaults, users can now setup MFA using phone verification method (SMS to mobile phone).
It's best to enable Modern Authentication, correct, which I've done? But I thought this means if they have Outlook 2013 SP1 or later then it won't ask them for MFA every time they start Outlook. It is asking every time, as well as for Teams. I guess instructing users to create app passwords is the way to avoid this, ay? Or, I guess if I check the box in MFA Service Settings to allow them to remember on devices for X days then it won't keep asking?
The Conditional Access page in Azure wants me to subscribe to ENTERPRISE MOBILITY + SECURITY E5 or to AZURE AD PREMIUM P2, not giving me P1 as an option. Both look quite pricey since they're per user.
