Forum Discussion
Restrict Global Admin MFA Methods
shannonhamby Hi, well for what it's worth this is the guidance for protecting your global administrator accounts https://docs.microsoft.com/en-us/microsoft-365/enterprise/protect-your-global-administrator-accounts?view=o365-worldwide
As to separate them using different secondary authentication methods I'm only aware of the authenticator app being the default and only option when using the built-in "Security defaults", that is if you don't configure the MFA service settings so that when your users enroll their accounts they choose their preferred verification method from the options that you have enabled https://docs.microsoft.com/sv-se/azure/active-directory/authentication/howto-mfa-mfasettings#enable-and-disable-verification-methods
When using legacy MFA it's per-user and best practice is you should be using either Security Defaults or Conditional Access policies to require MFA.
MFA support in Microsoft 365 (plans)
https://docs.microsoft.com/en-us/microsoft-365/admin/security-and-compliance/multi-factor-authentication-microsoft-365?view=o365-worldwide#mfa-support-in-microsoft-365
Using these methods together (enabled/disabled)
https://docs.microsoft.com/en-us/microsoft-365/admin/security-and-compliance/multi-factor-authentication-microsoft-365?view=o365-worldwide#using-these-methods-together
Perhaps not what you're looking for but hopefully getting you in the right direction.
Thank you much for the information. Unfortunately we were hoping to have a separate registration policy for our global admins, but from what you had posted and everything else I have been looking at it does not appear that this is an option.
Again, thank you ChristianBergstrom
shannonhamby No worries! You can certainly separate users/groups and admins using different policies but to force them using different verification options as set in the MFA settings I'm not aware of. As far as I know it's a "tenant setting" but then again I don't usually configure these settings.
I did notice an identical request in the Azure feedback forum though but no response from MS.
Anyone know if this can be done? VasilMichev PeterRising Thanks!
Ex.
Group A - Call to phone (only)
Group B - Text message to phone (only)
Group C - Verification code from mobile app or hardware token (only)
Not possible afaik, you can block specific options globally, or leave it to the users themselves. Perhaps in the future we will be able to scope this on a group basis, much like we can do for primary/passwordless auth today (https://portal.azure.com/#blade/Microsoft_AAD_IAM/AuthenticationMethodsMenuBlade/AdminAuthMethods)
