Forum Discussion
Unwanted MFA Method Options Displayed During Login
We have DUO configured and enforced as an MFA provider via an external authentication setup.
However, during the login process, users are still being presented with additional method options, including:
• Email (Receive a code to reset password)
• Hardware token (Sign in with a code from a hardware token)
• Phone (Call or text)
• Microsoft Authenticator
We want to remove at minimum the Email and Hardware token options from being shown, as these are not approved methods in our security policy. They are shown as disabled in Entra with the screenshots provided.
What’s been done:
• DUO is configured as an external authentication method
• An exemption group has been added in Azure AD Authentication Methods policy to exclude users from using SMS and Microsoft Authenticator, yet users are still prompted to set up another authentication method during login
We are in the process of transitioning users over to DUO so still need to have Microsoft authenticator as an option, but want users who are configured to use the DUO authentication method to not require another form
3 Replies
Thanks for the clarification. However, we’re still seeing unexpected behavior:
We are not using Email as an MFA method, and we understand this is part of the registration process, not a direct MFA prompt.
The issue is that users are being prompted to register additional methods, including Microsoft Authenticator, Hardware Token, etc. which we do not want to allow.
We have DUO configured as the only MFA method, and we've already added the relevant users to the exclusion group for Microsoft Authenticator and SMS under the Authentication Methods policy.
When attempting to address this:
All options under Entra portal > Password reset > Authentication methods are greyed out, so we cannot disable "Email" as a self-service password reset method. Screenshot attached
Clicking on “Authentication Methods Policy” just redirects back to the configured methods page, where we already have our DUO enforcement and exclusions in place.
Despite these settings, users are still being prompted to set up Email and other legacy methods upon login or during security info registration.
Can you confirm if this is a limitation of the current migration state between legacy and converged registration experience, or if there's a specific setting configuration that is preventing us from disabling these prompts?
Ultimately, our goal is to completely suppress the registration of any other methods and rely only on DUO for MFA, without prompting users to set up fallback methods.
Methods such as email cannot be used for MFA, what you are seeing is the registration process, not an actual MFA prompt. As for registration, the self-service password reset feature is the one surfacing the email method in particular, so if you don't want users to be able to configure such, toggle it under the Entra portal > Password reset > Authentication methods. More details for example here: How to migrate to the Authentication methods policy - Microsoft Entra ID | Microsoft Learn
All of those methods are greyed out and it is saying they can be managed in the "authentication methods policy". I click that and brings me right back to authentication methods which I have configured. Every time I sign in it also pops up with your organization requires to setup an authentication method even though I have that group excluded from the Microsoft Authenticator in the Auth Methods of Entra.
