SOLVED

Office 365 MFA using code sent to email, instead of getting request on Microsoft Authenticator

%3CLINGO-SUB%20id%3D%22lingo-sub-3215270%22%20slang%3D%22en-US%22%3EOffice%20365%20MFA%20using%20code%20sent%20to%20email%2C%20instead%20of%20getting%20request%20on%20Microsoft%20Authenticator%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3215270%22%20slang%3D%22en-US%22%3E%3CP%3EI%20am%20working%20on%20a%20tenant%20which%20have%20400%2B%2B%20sites%2C%20and%20we%20need%20to%20force%20this%20permission%20settings%20for%20external%20user%20sharing%3A-%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSTRONG%3ESet%20the%20share%20permissions%20on%20all%20sites%20to%20allow%20for%20only%20external%20users%20if%20they%20are%20invited%20by%20email%20and%20requires%20MFA%20for%20a%20code%20sent%20to%20their%20email%20to%20authenticate%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESo%20is%20this%20something%20we%20can%20achieve%2C%20to%20force%20the%20MFA%20code%20to%20be%20sent%20to%20email%20rather%20than%20mobile%20phone%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESecond%20question%2C%20If%20the%20answer%20to%20the%20above%20question%20is%20Yes%2C%20then%20will%20this%20need%20to%20be%20done%20on%20the%20site%20level%20or%20on%20the%20tenant%20level%3F%20If%20this%20need%20to%20be%20set%20on%20each%20site%20separately%2C%20then%20can%20we%20do%20this%20using%20Power%20shell%2C%20where%20we%20can%20loop%20through%20all%20the%20sites%20inside%20the%20Power-shell%2C%20but%20how%20we%20can%20set%20this%20setting%20using%20Power%20shell%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-3215270%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAdmin%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EAuthentication%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EIdentity%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EOffice%20365%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESecurity%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-3215598%22%20slang%3D%22en-US%22%3ERe%3A%20Office%20365%20MFA%20using%20code%20sent%20to%20email%2C%20instead%20of%20getting%20request%20on%20Microsoft%20Authenticator%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3215598%22%20slang%3D%22en-US%22%3EHello%20john%20john%2C%3CBR%20%2F%3EThe%20available%20verification%20methods%20are%20these%3CBR%20%2F%3E%3CBR%20%2F%3EAvailable%20verification%20methods%3CBR%20%2F%3EWhen%20users%20sign%20in%20to%20an%20application%20or%20service%20and%20receive%20an%20MFA%20prompt%2C%20they%20can%20choose%20from%20one%20of%20their%20registered%20forms%20of%20additional%20verification.%20Users%20can%20access%20My%20Profile%20to%20edit%20or%20add%20verification%20methods.%3CBR%20%2F%3E%3CBR%20%2F%3EThe%20following%20additional%20forms%20of%20verification%20can%20be%20used%20with%20Azure%20AD%20Multi-Factor%20Authentication%3A%3CBR%20%2F%3E%3CBR%20%2F%3EMicrosoft%20Authenticator%20app%3CBR%20%2F%3EWindows%20Hello%20for%20Business%3CBR%20%2F%3EFIDO2%20security%20key%3CBR%20%2F%3EOATH%20hardware%20token%20(preview)%3CBR%20%2F%3EOATH%20software%20token%3CBR%20%2F%3ESMS%3CBR%20%2F%3EVoice%20call%3CBR%20%2F%3E%3CBR%20%2F%3Esource%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fauthentication%2Fconcept-mfa-howitworks%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fauthentication%2Fconcept-mfa-howitworks%3C%2FA%3E%3CBR%20%2F%3E%3CBR%20%2F%3EAnd%20about%20e-mail%2C%20it%20can%20be%20used%20only%20for%20password%20reset%3A%3CBR%20%2F%3E%3CBR%20%2F%3EEmail%20account%3CBR%20%2F%3EPassword%20reset%20authentication%20only.%20You'll%20need%20to%20choose%20a%20different%20method%20for%20two-factor%20verification.%3CBR%20%2F%3E%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Fsupport.microsoft.com%2Fen-us%2Faccount-billing%2Fset-up-an-email-address-as-your-verification-method-250b91e4-7627-4b60-b861-f2276a9c0e39%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fsupport.microsoft.com%2Fen-us%2Faccount-billing%2Fset-up-an-email-address-as-your-verification-method-250b91e4-7627-4b60-b861-f2276a9c0e39%3C%2FA%3E%3C%2FLINGO-BODY%3E
Valued Contributor

I am working on a tenant which have 400++ sites, and we need to force this permission settings for external user sharing:-

 

Set the share permissions on all sites to allow for only external users if they are invited by email and requires MFA for a code sent to their email to authenticate

 

So is this something we can achieve, to force the MFA code to be sent to email rather than mobile phone?

 

Second question, If the answer to the above question is Yes, then will this need to be done on the site level or on the tenant level? If this need to be set on each site separately, then can we do this using Power shell, where we can loop through all the sites inside the Power-shell, but how we can set this setting using Power shell?

1 Reply
best response confirmed by john john (Valued Contributor)
Solution
Hello john john,
The available verification methods are these

Available verification methods
When users sign in to an application or service and receive an MFA prompt, they can choose from one of their registered forms of additional verification. Users can access My Profile to edit or add verification methods.

The following additional forms of verification can be used with Azure AD Multi-Factor Authentication:

Microsoft Authenticator app
Windows Hello for Business
FIDO2 security key
OATH hardware token (preview)
OATH software token
SMS
Voice call

source https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-mfa-howitworks

And about e-mail, it can be used only for password reset:

Email account
Password reset authentication only. You'll need to choose a different method for two-factor verification.

https://support.microsoft.com/en-us/account-billing/set-up-an-email-address-as-your-verification-met...