Combined MFA and password reset registration is now generally available

robynhicock I've noticed that when using this, the user still has the option to skip the registration. I'm assuming that this is also only for 2 weeks, but I'm seeing this in 2 tenants were there is MFA registration policy is not configured at the moment...

Is there any way to control this?

Because 6 digit rotating code option is more secure, we would like to default to that instead, tenant wide. That would be a nice option.

Yes push prompt is nice, but an attacker can just spam a persons account and they will just hit yes to make it go away, boom attacker has access.
And we have the same concerns as Jonas as we also have mainland China users. User needs to go to app store from manufacture, not google play.

We have many users on Android phones in China. Because of the restrictions in China, the Microsoft Authenticator can't receive App notifications on Android. They can (with some fiddling) get the Microsoft Authenticator app installed but never receives the notifications. SMS text message is too slow to receive which makes the login more or less timeout before the user can continue. This leaves app code the only usable scenario. This presents some confusion with the naming in the wizard and it would help a lot to clarify this small step.

What we want the user to understand is that once they have the Microsoft Authenticator installed and the login they are presented with the following screen:

What we don't want them to do is hit Next since this will bring them into the app notification scenario (which will fail...). But it's not super clear that the I want to user a different authenticator app is the one they should choose because this brings them into the scenario for app code (also viable for the Microsoft Authenticator, not only for different authenticator apps).

I think the naming should be I want to use app code or use a different authenticator app instead.

If someone at Microsoft or robynhicock want more details and screenshots, hit me a PM and we'll discuss.

Thank you robynhicock , I really appreciate your response on this. I have another question for you. Below is the scenario I have encountered: 

We have users that only registered SSPR with their mobile phone numbers (No MFA enrollment)

After enabling MFA & SSPR feature: their mobile phone numbers automatically fill out in their Authentication Contact Info - Phone field but they are still not enrolled for MFA with their phone numbers, admin has to go into each user Profile and manually click Enable (please see attached screenshot). I would hope that it would enroll MFA automatically without the admin interaction or a powershell script to enable all users in this case.

bt102 - Just replied to jurajt above, so that might answer your question too. Right now there isn't a way to enable the app notification in SSPR without enabling a 2nd method. But it's a known issue (for 2 gate policies) that we want to solve once more tenants are enabled for the new combined registration. We explain it a bit more in the docs: https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-sspr-howitworks#mobile-app-and-sspr-preview

For 1 gate SSPR policies though these are the options:

I'll ask our engineering team why that's the case. It might be for security reasons, so that just 1 notification to the app isn't enough to pass SSPR. Users easily approve notifications without thinking through the scenario, and it could be a hacker in that flow. Hence the notification has to be combined with a 2nd gate. I'll double check though.

Stephen Crowe - Totally agree, thanks for the suggestion! Glad you are using the new My Sign-Ins feature too 

jurajt - Sorry for the delay, I was on vacation recently. Yes unfortunately to enable authenticator notifications for SSPR you need 2 methods to be configured. This is because the old SSPR flows don't support registering the authenticator app, but the new flows do. Once we get the majority of tenants opted into combined MFA/SSPR registration, we can remove that error from the SSPR setup that requires 2 methods to enable notifications. 

Also you mentioned it's not possible to configure different SSPR or MFA policies for various user groups. There's a new blade coming to give you more granular control for auth methods. It's still in Preview but you can check it out here: https://portal.azure.com/#blade/Microsoft_AAD_IAM/AuthenticationMethodsMenuBlade/AdminAuthMethods

robynhicock Awesome that click "My Account" now takes you to the correct place. I confirm it's working for our production tenant.

robynhicock Hi, my question was more based if the FIDO2 is planned for step up (2nd factor authentication) like in PIM or MFA secured APPs?

I heard some it should be up in the next Preview Refresh? If so, can you tell a date when that Refresh is planned?

best regards and nice weekend

Alex

@robynhicock I have similar issues as jurajt

We currently have the following setup:

MFA: App Notification, App Code and Phone Number

SSPR: App Code and Phone Number (1 method)

When end users hit the SSPR interrupt page, they can only enroll App Code and Phone Number. They will have to enroll App Notification if they want to use App Notification.

Ideally we want end user to go to MFA interrupt page so they can enroll App Notification, App Code and Phone Number.

We use Microsoft RDS and RDS only supports App Notification.

Is there a way to set MFA interrupt page takes precedence over SSPR interrupt page? Or enable App Notification in SSPR without having to enable 2nd Method.

Thank you