Disabling authentication methods in Entra having no effect

Question

Fairly new to MS365 here and we're trying to restrict which MFA methods our users can use. We want our users to be able to either use the Authenticator app or a FIDO2 key depending on their role, in addition to a TAP to do the initial login.

We're testing disabling various methods via the Authentication methods page in Entra. As a representative test we set TAP to disabled and it gave an error when I attempted to issue a TAP for a user via the user's Authentication methods page in Intune.

However we don't get consistent results with other auth methods: Authenticator, Security key (FIDO2) and SMS. I put a specific group in the 'Enable and target' > 'Exclude' section for all 3 and was still able to configure Authenticator and a phone for SMS. When viewing the methods configured for the user, only the security key was listed under 'unusable methods'; hence the policies for Authenticator and SMS appear to have no effect. Similar tests with just one auth method yield the same result.

Is there something we're doing or understanding wrongly about how these policies work?

vasilmichev · Answer

Some methods can also be used for the Self-service password reset feature, so make sure you remove them therein as well: https://portal.azure.com/#view/Microsoft_AAD_IAM/PasswordResetMenuBlade/~/AuthenticationMethods

kidd_ip · Answer

RichardP860&nbsp;
&nbsp;
I follow this for my setup:
&nbsp;
https://learn.microsoft.com/en-us/entra/identity/authentication/concept-authentication-passwordless
&nbsp;

Forum Discussion

Disabling authentication methods in Entra having no effect

Share

Resources