Feb 07 2020
- last edited on
Jul 24 2020
I understand that Azure AD Admin accounts "two-gate policy requires two pieces of authentication data, such as an email address, authenticator app, or a phone number."
Can the 2 auth pieces be set as auth app and phone number only? No email address.
Feb 10 2020 08:46 AM
I don't believe that's possible. While the admin page you reference does mention, as you say, the option to pick 2 of the 3 (I.e. Email address, authenticator app, phone number) I've never actually received the option as an admin user to use an authenticator app for SSPR. It's always been mobile phone number and email.
I did a quick test there on my test tenant and that looks to still be the case. The SSPR policy for administrators can't be modified (the one for users can), so I'm afraid if appears you're stuck with the email address requirement.