Forum Discussion
Why is MFA requiring App Authentication & Not Allowing User to Select Phone Verification Method
OK, so Security Defaults is why this is happening. You will see from this page - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/concept-fundamentals-security-defaults - under deployment considerations, and as shown in the image below;
Security Defaults only allows notification through the mobile app.
I'm not a great fan of the security defaults as it gives you very little control over things and is not granular. I would recommend setting up MFA by using Azure AD Conditional Access policies instead. You will need an Azure AD Premium P1 subscription for all of your users to achieve this however.
Yes, I did setup the Security Defaults in Azure.
For the MFA service settings, I did not change, i.e. I left the defaults as shown in following screenshot:
ā
OK, so Security Defaults is why this is happening. You will see from this page - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/concept-fundamentals-security-defaults - under deployment considerations, and as shown in the image below;
Security Defaults only allows notification through the mobile app.
I'm not a great fan of the security defaults as it gives you very little control over things and is not granular. I would recommend setting up MFA by using Azure AD Conditional Access policies instead. You will need an Azure AD Premium P1 subscription for all of your users to achieve this however.
Thank you! After disabling Security Defaults, users can now setup MFA using phone verification method (SMS to mobile phone).
It's best to enable Modern Authentication, correct, which I've done? But I thought this means if they have Outlook 2013 SP1 or later then it won't ask them for MFA every time they start Outlook. It is asking every time, as well as for Teams. I guess instructing users to create app passwords is the way to avoid this, ay? Or, I guess if I check the box in MFA Service Settings to allow them to remember on devices for X days then it won't keep asking?
The Conditional Access page in Azure wants me to subscribe to ENTERPRISE MOBILITY + SECURITY E5 or to AZURE AD PREMIUM P2, not giving me P1 as an option. Both look quite pricey since they're per user.
Azure AD Premium P1 is definitely an option for you. Can you find it from the Admin Center if you do a search under the billing section?
Definitely worth getting if you can justify the cost, as it enables you to bypass MFA for trusted locations. With your current licensing option, you can as you say tick the box to remember MFA on devices for a number of days. I'm not hugely keen on this as it negates the point of MFA, and is far less secure than the options in Conditional Access, but I also get that you have to work with what you have, and you need to strike a balance between security and user convenience.
Bottom line for me though - get AD Premium P1 if you can.
BobHerman Just a heads up, don't know what subscription you're using now though.
PeterRising BobHerman Hello, I am fan of Identity Protection and the associated MFA registration policy as well https://docs.microsoft.com/sv-se/azure/active-directory/identity-protection/howto-identity-protection-configure-mfa-policy but then you'd need Azure AD Premium P2 license. I must say though that 'security defaults' is a great feature as it's available to everyone.
Agreed, I love Identity Protection too. Also agree that Security Defaults are good as a free feature. You do have to be very careful enabling them though, as they are an all or nothing thing and can have a sledgehammer effect.
