SOLVED

Why is MFA requiring App Authentication & Not Allowing User to Select Phone Verification Method

%3CLINGO-SUB%20id%3D%22lingo-sub-1361387%22%20slang%3D%22en-US%22%3EWhy%20is%20MFA%20requiring%20App%20Authentication%20%26amp%3B%20Not%20Allowing%20User%20to%20Select%20Phone%20Verification%20Method%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1361387%22%20slang%3D%22en-US%22%3E%3CP%3EHi%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20setup%20MFA%20for%20the%20organization%20using%3A%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fmicrosoft-365%2Fadmin%2Fsecurity-and-compliance%2Fset-up-multi-factor-authentication%3Fview%3Do365-worldwide%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fmicrosoft-365%2Fadmin%2Fsecurity-and-compliance%2Fset-up-multi-factor-authentication%3Fview%3Do365-worldwide%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThen%20I%20also%20enabled%20MFA%20for%20all%20users%20at%20Settings%20%26gt%3B%20Settings%20%26gt%3B%20%3CSPAN%3EAzure%E2%80%8E%20multi-factor%20authentication%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ENow%20when%20users%20try%20to%20logon%2C%20it's%20requiring%20them%20to%20use%20the%20app%20verification%20method%2C%20i.e.%20the%20drop-down%20only%20has%20app%20verification%20without%20option%20to%20change%20it%20to%20phone%20verification.%26nbsp%3B%20I%20want%20them%20to%20be%20able%20to%20choose%20phone%20verification%20so%20they%20can%20get%20code%20sent%20to%20mobile%20phone%20via%20SMS.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThank%20you!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1361387%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EMFA%20Azure%20and%20Office%20Admin%20Portal%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EMulti%20Factor%20Authentication%20Options%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1361446%22%20slang%3D%22en-US%22%3ERe%3A%20Why%20is%20MFA%20requiring%20App%20Authentication%20%26amp%3B%20Not%20Allowing%20User%20to%20Select%20Phone%20Verification%20Met%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1361446%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F656821%22%20target%3D%22_blank%22%3E%40BobHerman%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EDid%20you%20setup%20the%20Security%20Defaults%20which%20are%20referenced%20in%20the%20link%20you%20posted%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAlso%2C%20when%20you%20set%20it%20up%20from%20the%20second%20option%2C%20which%20of%20the%20verification%20options%20in%20the%20Service%20settings%20options%20did%20you%20select%20as%20shown%20below%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Screenshot%202020-05-05%20at%2021.12.38.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F189244iED71AA40644F9D12%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%22Screenshot%202020-05-05%20at%2021.12.38.png%22%20alt%3D%22Screenshot%202020-05-05%20at%2021.12.38.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1361479%22%20slang%3D%22en-US%22%3ERe%3A%20Why%20is%20MFA%20requiring%20App%20Authentication%20%26amp%3B%20Not%20Allowing%20User%20to%20Select%20Phone%20Verification%20Met%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1361479%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F616707%22%20target%3D%22_blank%22%3E%40PeterRising%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EYes%2C%20I%20did%20%3CSPAN%3Esetup%20the%20Security%20Defaults%20in%20Azure.%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EFor%20the%20MFA%20service%20settings%2C%20I%20did%20not%20change%2C%20i.e.%20I%20left%20the%20defaults%20as%20shown%20in%20following%20screenshot%3A%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22MFA%20Service%20Settings.jpg%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F189246i088A5BF5F273CAC2%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20title%3D%22MFA%20Service%20Settings.jpg%22%20alt%3D%22MFA%20Service%20Settings.jpg%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%E2%80%83%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1362338%22%20slang%3D%22en-US%22%3ERe%3A%20Why%20is%20MFA%20requiring%20App%20Authentication%20%26amp%3B%20Not%20Allowing%20User%20to%20Select%20Phone%20Verification%20Met%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1362338%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F656821%22%20target%3D%22_blank%22%3E%40BobHerman%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EOK%2C%20so%20Security%20Defaults%20is%20why%20this%20is%20happening.%20%26nbsp%3BYou%20will%20see%20from%20this%20page%20-%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Ffundamentals%2Fconcept-fundamentals-security-defaults%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Ffundamentals%2Fconcept-fundamentals-security-defaults%3C%2FA%3E%26nbsp%3B-%20under%20deployment%20considerations%2C%20and%20as%20shown%20in%20the%20image%20below%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Screenshot%202020-05-06%20at%2007.20.07.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F189405i8E6F46BAD448BA03%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%22Screenshot%202020-05-06%20at%2007.20.07.png%22%20alt%3D%22Screenshot%202020-05-06%20at%2007.20.07.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESecurity%20Defaults%20only%20allows%20notification%20through%20the%20mobile%20app.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI'm%20not%20a%20great%20fan%20of%20the%20security%20defaults%20as%20it%20gives%20you%20very%20little%20control%20over%20things%20and%20is%20not%20granular.%20%26nbsp%3BI%20would%20recommend%20setting%20up%20MFA%20by%20using%20Azure%20AD%20Conditional%20Access%20policies%20instead.%20%26nbsp%3BYou%20will%20need%20an%20Azure%20AD%20Premium%20P1%20subscription%20for%20all%20of%20your%20users%20to%20achieve%20this%20however.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1362414%22%20slang%3D%22en-US%22%3ERe%3A%20Why%20is%20MFA%20requiring%20App%20Authentication%20%26amp%3B%20Not%20Allowing%20User%20to%20Select%20Phone%20Verification%20Met%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1362414%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F616707%22%20target%3D%22_blank%22%3E%40PeterRising%3C%2FA%3E%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F656821%22%20target%3D%22_blank%22%3E%40BobHerman%3C%2FA%3E%26nbsp%3BHello%2C%20I%20am%20fan%20of%20Identity%20Protection%20and%20the%20associated%20MFA%20registration%20policy%20as%20well%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fsv-se%2Fazure%2Factive-directory%2Fidentity-protection%2Fhowto-identity-protection-configure-mfa-policy%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fsv-se%2Fazure%2Factive-directory%2Fidentity-protection%2Fhowto-identity-protection-configure-mfa-policy%3C%2FA%3E%26nbsp%3Bbut%20then%20you'd%20need%20%3CSPAN%3EAzure%20AD%20Premium%20P2%20license.%20I%20must%20say%20though%20that%20'security%20defaults'%20is%20a%20great%20feature%20as%20it's%20available%20to%20everyone.%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1362427%22%20slang%3D%22en-US%22%3ERe%3A%20Why%20is%20MFA%20requiring%20App%20Authentication%20%26amp%3B%20Not%20Allowing%20User%20to%20Select%20Phone%20Verification%20Met%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1362427%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F551905%22%20target%3D%22_blank%22%3E%40bec064%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAgreed%2C%20I%20love%20Identity%20Protection%20too.%20%26nbsp%3BAlso%20agree%20that%20Security%20Defaults%20are%20good%20as%20a%20free%20feature.%20%26nbsp%3BYou%20do%20have%20to%20be%20very%20careful%20enabling%20them%20though%2C%20as%20they%20are%20an%20all%20or%20nothing%20thing%20and%20can%20have%20a%20sledgehammer%20effect.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1364516%22%20slang%3D%22en-US%22%3ERe%3A%20Why%20is%20MFA%20requiring%20App%20Authentication%20%26amp%3B%20Not%20Allowing%20User%20to%20Select%20Phone%20Verification%20Met%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1364516%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F616707%22%20target%3D%22_blank%22%3E%40PeterRising%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThank%20you!%26nbsp%3B%20After%20disabling%20Security%20Defaults%2C%20users%20can%20now%20setup%20MFA%20using%20phone%20verification%20method%20(SMS%20to%20mobile%20phone).%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIt's%20best%20to%20enable%20Modern%20Authentication%2C%20correct%2C%20which%20I've%20done%3F%26nbsp%3B%20But%20I%20thought%20this%20means%20if%20they%20have%20Outlook%202013%20SP1%20or%20later%20then%20it%20won't%20ask%20them%20for%20MFA%20every%20time%20they%20start%20Outlook.%26nbsp%3B%20It%20is%20asking%20every%20time%2C%20as%20well%20as%20for%20Teams.%26nbsp%3B%20I%20guess%20instructing%20users%20to%20create%20app%20passwords%20is%20the%20way%20to%20avoid%20this%2C%20ay%3F%26nbsp%3B%20Or%2C%20I%20guess%20if%20I%20check%20the%20box%20in%20MFA%20Service%20Settings%20to%20allow%20them%20to%20remember%20on%20devices%20for%20X%20days%20then%20it%20won't%20keep%20asking%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20Conditional%20Access%20page%20in%20Azure%20wants%20me%20to%20subscribe%20to%26nbsp%3B%3CSPAN%3EENTERPRISE%20MOBILITY%20%2B%20SECURITY%20E5%20or%20to%26nbsp%3BAZURE%20AD%20PREMIUM%20P2%2C%20not%20giving%20me%20P1%20as%20an%20option.%26nbsp%3B%20Both%20look%20quite%20pricey%20since%20they're%20per%20user.%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1364849%22%20slang%3D%22en-US%22%3ERe%3A%20Why%20is%20MFA%20requiring%20App%20Authentication%20%26amp%3B%20Not%20Allowing%20User%20to%20Select%20Phone%20Verification%20Met%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1364849%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F656821%22%20target%3D%22_blank%22%3E%40BobHerman%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAzure%20AD%20Premium%20P1%20is%20definitely%20an%20option%20for%20you.%20%26nbsp%3BCan%20you%20find%20it%20from%20the%20Admin%20Center%20if%20you%20do%20a%20search%20under%20the%20billing%20section%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EDefinitely%20worth%20getting%20if%20you%20can%20justify%20the%20cost%2C%20as%20it%20enables%20you%20to%20bypass%20MFA%20for%20trusted%20locations.%20%26nbsp%3BWith%20your%20current%20licensing%20option%2C%20you%20can%20as%20you%20say%20tick%20the%20box%20to%20remember%20MFA%20on%20devices%20for%20a%20%26nbsp%3Bnumber%20of%20days.%20%26nbsp%3BI'm%20not%20hugely%20keen%20on%20this%20as%20it%20negates%20the%20point%20of%20MFA%2C%20and%20is%20far%20less%20secure%20than%20the%20options%20in%20Conditional%20Access%2C%20but%20I%20also%20get%20that%20you%20have%20to%20work%20with%20what%20you%20have%2C%20and%20you%20need%20to%20strike%20a%20balance%20between%20security%20and%20user%20convenience.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EBottom%20line%20for%20me%20though%20-%20get%20AD%20Premium%20P1%20if%20you%20can.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
New Contributor

Hi:

 

I setup MFA for the organization using: https://docs.microsoft.com/en-us/microsoft-365/admin/security-and-compliance/set-up-multi-factor-aut...

 

Then I also enabled MFA for all users at Settings > Settings > Azure‎ multi-factor authentication

 

Now when users try to logon, it's requiring them to use the app verification method, i.e. the drop-down only has app verification without option to change it to phone verification.  I want them to be able to choose phone verification so they can get code sent to mobile phone via SMS.

 

Thank you!

8 Replies
Highlighted

@BobHerman 

 

Did you setup the Security Defaults which are referenced in the link you posted?

 

Also, when you set it up from the second option, which of the verification options in the Service settings options did you select as shown below?

 

Screenshot 2020-05-05 at 21.12.38.png

Highlighted

@PeterRising 

 

Yes, I did setup the Security Defaults in Azure.

 

For the MFA service settings, I did not change, i.e. I left the defaults as shown in following screenshot:

 

MFA Service Settings.jpg

 

Highlighted
Solution

@BobHerman 

 

OK, so Security Defaults is why this is happening.  You will see from this page - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/concept-fundamentals-security-d... - under deployment considerations, and as shown in the image below;

 

Screenshot 2020-05-06 at 07.20.07.png

 

Security Defaults only allows notification through the mobile app.

 

I'm not a great fan of the security defaults as it gives you very little control over things and is not granular.  I would recommend setting up MFA by using Azure AD Conditional Access policies instead.  You will need an Azure AD Premium P1 subscription for all of your users to achieve this however.

Highlighted

@PeterRising @BobHerman Hello, I am fan of Identity Protection and the associated MFA registration policy as well https://docs.microsoft.com/sv-se/azure/active-directory/identity-protection/howto-identity-protectio... but then you'd need Azure AD Premium P2 license. I must say though that 'security defaults' is a great feature as it's available to everyone.

Highlighted

@bec064 

 

Agreed, I love Identity Protection too.  Also agree that Security Defaults are good as a free feature.  You do have to be very careful enabling them though, as they are an all or nothing thing and can have a sledgehammer effect.

Highlighted

@PeterRising 

 

Thank you!  After disabling Security Defaults, users can now setup MFA using phone verification method (SMS to mobile phone).

 

It's best to enable Modern Authentication, correct, which I've done?  But I thought this means if they have Outlook 2013 SP1 or later then it won't ask them for MFA every time they start Outlook.  It is asking every time, as well as for Teams.  I guess instructing users to create app passwords is the way to avoid this, ay?  Or, I guess if I check the box in MFA Service Settings to allow them to remember on devices for X days then it won't keep asking?

 

The Conditional Access page in Azure wants me to subscribe to ENTERPRISE MOBILITY + SECURITY E5 or to AZURE AD PREMIUM P2, not giving me P1 as an option.  Both look quite pricey since they're per user.

Highlighted

@BobHerman 

 

Azure AD Premium P1 is definitely an option for you.  Can you find it from the Admin Center if you do a search under the billing section?

 

Definitely worth getting if you can justify the cost, as it enables you to bypass MFA for trusted locations.  With your current licensing option, you can as you say tick the box to remember MFA on devices for a  number of days.  I'm not hugely keen on this as it negates the point of MFA, and is far less secure than the options in Conditional Access, but I also get that you have to work with what you have, and you need to strike a balance between security and user convenience.

 

Bottom line for me though - get AD Premium P1 if you can.

Highlighted