May 05 2020
01:04 PM
- last edited on
Feb 01 2023
11:10 AM
by
TechCommunityAP
May 05 2020
01:04 PM
- last edited on
Feb 01 2023
11:10 AM
by
TechCommunityAP
Hi:
I setup MFA for the organization using: https://docs.microsoft.com/en-us/microsoft-365/admin/security-and-compliance/set-up-multi-factor-aut...
Then I also enabled MFA for all users at Settings > Settings > Azure multi-factor authentication
Now when users try to logon, it's requiring them to use the app verification method, i.e. the drop-down only has app verification without option to change it to phone verification. I want them to be able to choose phone verification so they can get code sent to mobile phone via SMS.
Thank you!
May 05 2020 01:17 PM
Did you setup the Security Defaults which are referenced in the link you posted?
Also, when you set it up from the second option, which of the verification options in the Service settings options did you select as shown below?
May 05 2020 01:30 PM
Yes, I did setup the Security Defaults in Azure.
For the MFA service settings, I did not change, i.e. I left the defaults as shown in following screenshot:
May 05 2020 11:25 PM
Solution
OK, so Security Defaults is why this is happening. You will see from this page - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/concept-fundamentals-security-d... - under deployment considerations, and as shown in the image below;
Security Defaults only allows notification through the mobile app.
I'm not a great fan of the security defaults as it gives you very little control over things and is not granular. I would recommend setting up MFA by using Azure AD Conditional Access policies instead. You will need an Azure AD Premium P1 subscription for all of your users to achieve this however.
May 05 2020 11:57 PM
@PeterRising @BobHerman Hello, I am fan of Identity Protection and the associated MFA registration policy as well https://docs.microsoft.com/sv-se/azure/active-directory/identity-protection/howto-identity-protectio... but then you'd need Azure AD Premium P2 license. I must say though that 'security defaults' is a great feature as it's available to everyone.
May 06 2020 12:03 AM
Agreed, I love Identity Protection too. Also agree that Security Defaults are good as a free feature. You do have to be very careful enabling them though, as they are an all or nothing thing and can have a sledgehammer effect.
May 06 2020 09:55 AM
Thank you! After disabling Security Defaults, users can now setup MFA using phone verification method (SMS to mobile phone).
It's best to enable Modern Authentication, correct, which I've done? But I thought this means if they have Outlook 2013 SP1 or later then it won't ask them for MFA every time they start Outlook. It is asking every time, as well as for Teams. I guess instructing users to create app passwords is the way to avoid this, ay? Or, I guess if I check the box in MFA Service Settings to allow them to remember on devices for X days then it won't keep asking?
The Conditional Access page in Azure wants me to subscribe to ENTERPRISE MOBILITY + SECURITY E5 or to AZURE AD PREMIUM P2, not giving me P1 as an option. Both look quite pricey since they're per user.
May 06 2020 11:35 AM
Azure AD Premium P1 is definitely an option for you. Can you find it from the Admin Center if you do a search under the billing section?
Definitely worth getting if you can justify the cost, as it enables you to bypass MFA for trusted locations. With your current licensing option, you can as you say tick the box to remember MFA on devices for a number of days. I'm not hugely keen on this as it negates the point of MFA, and is far less secure than the options in Conditional Access, but I also get that you have to work with what you have, and you need to strike a balance between security and user convenience.
Bottom line for me though - get AD Premium P1 if you can.
May 06 2020 12:04 PM
@BobHerman Just a heads up, don't know what subscription you're using now though.
May 05 2020 11:25 PM
Solution
OK, so Security Defaults is why this is happening. You will see from this page - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/concept-fundamentals-security-d... - under deployment considerations, and as shown in the image below;
Security Defaults only allows notification through the mobile app.
I'm not a great fan of the security defaults as it gives you very little control over things and is not granular. I would recommend setting up MFA by using Azure AD Conditional Access policies instead. You will need an Azure AD Premium P1 subscription for all of your users to achieve this however.