Unwanted MFA Method Options Displayed During Login

Thanks for the clarification. However, we’re still seeing unexpected behavior:

We are not using Email as an MFA method, and we understand this is part of the registration process, not a direct MFA prompt.

The issue is that users are being prompted to register additional methods, including Microsoft Authenticator, Hardware Token, etc. which we do not want to allow.

We have DUO configured as the only MFA method, and we've already added the relevant users to the exclusion group for Microsoft Authenticator and SMS under the Authentication Methods policy.

When attempting to address this:

All options under Entra portal > Password reset > Authentication methods are greyed out, so we cannot disable "Email" as a self-service password reset method. Screenshot attached

Clicking on “Authentication Methods Policy” just redirects back to the configured methods page, where we already have our DUO enforcement and exclusions in place.

Despite these settings, users are still being prompted to set up Email and other legacy methods upon login or during security info registration.

Can you confirm if this is a limitation of the current migration state between legacy and converged registration experience, or if there's a specific setting configuration that is preventing us from disabling these prompts?

Ultimately, our goal is to completely suppress the registration of any other methods and rely only on DUO for MFA, without prompting users to set up fallback methods.