Standard users not getting SMS as an MFA verification option - Only getting App

%3CLINGO-SUB%20id%3D%22lingo-sub-1314361%22%20slang%3D%22en-US%22%3EStandard%20users%20not%20getting%20SMS%20as%20an%20MFA%20verification%20option%20-%20Only%20getting%20App%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1314361%22%20slang%3D%22en-US%22%3E%3CP%3EMy%20users%20get%20an%20error%3A%20Additional%20security%20verification%20Mobile%20app%20verification%20option%20is%20not%20enabled%20for%20your%20organization.%20Contact%20your%20IT%20admin.%20My%20global%20admin%20can%20setup%20SMS%20verification%20no%20problem%20but%20standard%20users%20do%20not%20get%20the%20option.%20I've%20enabled%20in%20within%20the%20MFA%20settings.%20I%20have%20users%20that%20do%20not%20have%20smart%20phones%20and%20only%20receive%20texts.%20Can%20anyone%20tell%20me%20why%20this%20error%20is%20coming%20up%20for%20non%20admin%20users%3F%20where%20can%20I%20enable%20sms%20as%20an%20option%20for%20verification%20for%20standard%20users%3F%20Could%20this%20be%20because%20I%20have%20them%20setup%20with%20AD%20Connect%20syncing%20passwords%20from%20AD%3F%20I%20wouldn't%20think%20so%20because%20ultimately%20it's%20still%20AAD%20that%20is%20authenticating%20them.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1314361%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%20AD%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EIdentity%20Management%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EOffice%20365%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1314515%22%20slang%3D%22en-US%22%3ERe%3A%20Standard%20users%20not%20getting%20SMS%20as%20an%20MFA%20verification%20option%20-%20Only%20getting%20App%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1314515%22%20slang%3D%22en-US%22%3E%3CP%3EHI%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F618279%22%20target%3D%22_blank%22%3E%40Jtaber%3C%2FA%3E%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ECould%20you%20check%20the%20setting%20in%20screenshot%20attached%20exist%20in%20your%20tenant%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks!%3C%2FP%3E%3CP%3EMoe%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1315962%22%20slang%3D%22en-US%22%3ERe%3A%20Standard%20users%20not%20getting%20SMS%20as%20an%20MFA%20verification%20option%20-%20Only%20getting%20App%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1315962%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F58%22%20target%3D%22_blank%22%3E%40Vasil%20Michev%3C%2FA%3E%2C%3CBR%20%2F%3E%3CBR%20%2F%3EThanks%20for%20the%20quick%20reply.%26nbsp%3B%20I've%20toggled%20this%20off%20and%20now%20my%20users%20have%20the%20option%20to%20use%20a%20phone%20after%20I%20enable%20MFA%20for%20them%20individually.%3CBR%20%2F%3E%3CBR%20%2F%3EI'd%20prefer%20to%20keep%20best%20practices%20(IE%3A%20Default%20Security)%20but%20this%20instance%20forces%20me%20to%20disable%20it%20so%20that%20I%20can%20toggle%20on%20SMS%20for%20a%20user%20without%20a%20smart%20phone%20-%20YUP%20-%20I%20found%20someone%20that%20seriously%20doesn't%20have%20a%20smart%20phone.%20%26nbsp%3B%20%3A)%3C%2Fimg%3E%3CBR%20%2F%3E%3CBR%20%2F%3EThat%20being%20said%2C%20and%20I'd%20like%20to%20maintain%20default%20security%20for%20them.%26nbsp%3B%20Is%20there%20any%20suggestions%20or%20resources%20you%20may%20direct%20me%20to%20for%20best%20practices%20that%20I%20may%20read%20or%20educate%20myself%20with%20for%20current%20best%20practices%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%20again%20for%20the%20quick%20response%20-%20this%20was%20very%20helpful.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EJohn%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1316029%22%20slang%3D%22en-US%22%3ERe%3A%20Standard%20users%20not%20getting%20SMS%20as%20an%20MFA%20verification%20option%20-%20Only%20getting%20App%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1316029%22%20slang%3D%22en-US%22%3E%3CP%3EThe%20article%20above%20details%20which%20settings%20exactly%20the%20%22security%20defaults%22%20configure.%20They%20are%20mostly%20intended%20for%20smaller%20shops%2C%20and%20as%20long%20as%20you%20have%20Azure%20AD%20P1%20or%20equivalent%20licenses%2C%20you%20can%20ignore%20them%20and%20configure%20Conditional%20access%20policies%20instead%2C%20which%20give%20you%20a%20lot%20more%20flexibility.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1315068%22%20slang%3D%22en-US%22%3ERe%3A%20Standard%20users%20not%20getting%20SMS%20as%20an%20MFA%20verification%20option%20-%20Only%20getting%20App%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1315068%22%20slang%3D%22en-US%22%3E%3CP%3EIf%20you%20have%20security%20defaults%20enabled%2C%20only%20the%20mobile%20app%20will%20work%2C%20other%20methods%20are%20toggled%20off%3A%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Ffundamentals%2Fconcept-fundamentals-security-defaults%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Ffundamentals%2Fconcept-fundamentals-security-defaults%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Occasional Contributor

My users get an error: Additional security verification Mobile app verification option is not enabled for your organization. Contact your IT admin. My global admin can setup SMS verification no problem but standard users do not get the option. I've enabled in within the MFA settings. I have users that do not have smart phones and only receive texts. Can anyone tell me why this error is coming up for non admin users? where can I enable sms as an option for verification for standard users? Could this be because I have them setup with AD Connect syncing passwords from AD? I wouldn't think so because ultimately it's still AAD that is authenticating them.

4 Replies
Highlighted

HI @Jtaber,

 

Could you check the setting in screenshot attached exist in your tenant?

 

Thanks!

Moe

Highlighted

If you have security defaults enabled, only the mobile app will work, other methods are toggled off: https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/concept-fundamentals-security-d...

@Vasil Michev,

Thanks for the quick reply.  I've toggled this off and now my users have the option to use a phone after I enable MFA for them individually.

I'd prefer to keep best practices (IE: Default Security) but this instance forces me to disable it so that I can toggle on SMS for a user without a smart phone - YUP - I found someone that seriously doesn't have a smart phone.   :)

That being said, and I'd like to maintain default security for them.  Is there any suggestions or resources you may direct me to for best practices that I may read or educate myself with for current best practices?

 

Thanks again for the quick response - this was very helpful.

 

John

 

Highlighted

The article above details which settings exactly the "security defaults" configure. They are mostly intended for smaller shops, and as long as you have Azure AD P1 or equivalent licenses, you can ignore them and configure Conditional access policies instead, which give you a lot more flexibility.