Home

Office 365 Admins and MFA - Restrict to use App only, not allow SMS or voice?

%3CLINGO-SUB%20id%3D%22lingo-sub-147000%22%20slang%3D%22en-US%22%3EOffice%20365%20Admins%20and%20MFA%20-%20Restrict%20to%20use%20App%20only%2C%20not%20allow%20SMS%20or%20voice%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-147000%22%20slang%3D%22en-US%22%3EHi%2C%20I'm%20wondering%20if%20it's%20possible%20in%20Office%20365%20w.%20E3%20licence%20to%20setup%20MFA%20for%20Admins%20so%20the%20only%20authentication%20method%20they%20can%20use%20is%20app%20only%20(e.g.%20Azure%20Authenticator)%2C%20not%20SMS%20or%20voice.%20All%20other%20non-%20admins%20should%20be%20able%20to%20use%20any%20method.%3CBR%20%2F%3EDoes%20anyone%20know%20a%20way%20to%20do%20this%3F%20The%20articles%20I've%20read%20indicate%20that%20MFA%20is%20global%20for%20all%20users%20no%20matter%20what%20privilege%20they%20hold%2C%20but%20there%20must%20be%20a%20way%3F%3CBR%20%2F%3EThanks%20in%20advance%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-147000%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAuthentication%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EOffice%20365%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESecurity%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-321743%22%20slang%3D%22en-US%22%3ERe%3A%20Office%20365%20Admins%20and%20MFA%20-%20Restrict%20to%20use%20App%20only%2C%20not%20allow%20SMS%20or%20voice%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-321743%22%20slang%3D%22en-US%22%3ENever%20mind...%20I%20found%20it%20here%3A%3CBR%20%2F%3E%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Foffice365%2Fadmin%2Fsecurity-and-compliance%2Fset-up-multi-factor-authentication%3Fview%3Do365-worldwide%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Foffice365%2Fadmin%2Fsecurity-and-compliance%2Fset-up-multi-factor-authentication%3Fview%3Do365-worldwide%3C%2FA%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-321738%22%20slang%3D%22en-US%22%3ERe%3A%20Office%20365%20Admins%20and%20MFA%20-%20Restrict%20to%20use%20App%20only%2C%20not%20allow%20SMS%20or%20voice%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-321738%22%20slang%3D%22en-US%22%3E%3CP%3EWhere%20is%20the%20setting%20found%20to%20restrict%20globally%20to%20mobile%20app%3F%20I%20don't%20want%20to%20involve%20SMS%20text%20messages%20or%20phone%20calls.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-147421%22%20slang%3D%22en-US%22%3ERe%3A%20Office%20365%20Admins%20and%20MFA%20-%20Restrict%20to%20use%20App%20only%2C%20not%20allow%20SMS%20or%20voice%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-147421%22%20slang%3D%22en-US%22%3E%3CP%3EI%20setup%20my%20O365%20E3%20IDs%20individually%20turning%20off%2Fon%20MFA%20for%20each%20ID.%26nbsp%3B%20Since%20Microsoft%20has%20released%20PowerShell%20modules%20that%20accept%20MFA%20connection%20for%20Exchange%20and%20Skype%2C%20I've%20found%20MFA%20workable%20for%20Admin%20IDs.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EI%20have%20also%20found%20Outlook%20on%20the%20desktop%20and%20Skype%202016%20on%20the%20desktop%20...%20to%20work%20nicely%20with%20MFA.%26nbsp%3B%20I%20had%20to%20change%20a%20MFA%20setting%20in%20Exchange%20and%20Skype%2C%20because%20my%20O365%20setup%20has%20been%20around%20since%20the%20beginning%20and%20the%20setting%20was%20turned%20off%20by%20default.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-147149%22%20slang%3D%22en-US%22%3ERe%3A%20Office%20365%20Admins%20and%20MFA%20-%20Restrict%20to%20use%20App%20only%2C%20not%20allow%20SMS%20or%20voice%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-147149%22%20slang%3D%22en-US%22%3E%3CP%3EThe%20Server%20(on-premises)%20version%20of%20Azure%20MFA%20allows%20you%20to%20configure%20the%20default%20method%20for%20each%20user%2C%20so%20if%20you%20block%20all%20others%20the%20will%20only%20be%20able%20to%20use%20the%20app.%20However%2C%20the%20block%20settings%20will%20again%20apply%20to%20all%20users.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-147097%22%20slang%3D%22en-US%22%3ERe%3A%20Office%20365%20Admins%20and%20MFA%20-%20Restrict%20to%20use%20App%20only%2C%20not%20allow%20SMS%20or%20voice%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-147097%22%20slang%3D%22en-US%22%3EHi%20Vasil%2C%20thanks%20for%20confirming.%20Is%20there%20any%202FA%20solution%20you%20could%20recommend%20trying%3F%20Thanks%20again%2C%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-147082%22%20slang%3D%22en-US%22%3ERe%3A%20Office%20365%20Admins%20and%20MFA%20-%20Restrict%20to%20use%20App%20only%2C%20not%20allow%20SMS%20or%20voice%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-147082%22%20slang%3D%22en-US%22%3E%3CP%3ENope.%20You%20can%20disable%20specific%20methods%2C%20but%20the%20configuration%20will%20indeed%20apply%20to%20all%20users.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Jez Blight
Occasional Contributor
Hi, I'm wondering if it's possible in Office 365 w. E3 licence to setup MFA for Admins so the only authentication method they can use is app only (e.g. Azure Authenticator), not SMS or voice. All other non- admins should be able to use any method.
Does anyone know a way to do this? The articles I've read indicate that MFA is global for all users no matter what privilege they hold, but there must be a way?
Thanks in advance
6 Replies

Nope. You can disable specific methods, but the configuration will indeed apply to all users.

Hi Vasil, thanks for confirming. Is there any 2FA solution you could recommend trying? Thanks again,

The Server (on-premises) version of Azure MFA allows you to configure the default method for each user, so if you block all others the will only be able to use the app. However, the block settings will again apply to all users.

I setup my O365 E3 IDs individually turning off/on MFA for each ID.  Since Microsoft has released PowerShell modules that accept MFA connection for Exchange and Skype, I've found MFA workable for Admin IDs.

 

I have also found Outlook on the desktop and Skype 2016 on the desktop ... to work nicely with MFA.  I had to change a MFA setting in Exchange and Skype, because my O365 setup has been around since the beginning and the setting was turned off by default.

Where is the setting found to restrict globally to mobile app? I don't want to involve SMS text messages or phone calls.