you can run through this scenario .
- Split the users into security groups , group phase 1 , group phase 2 , etc
- Create an new authentication strength and select only Password + Microsoft authenticator
- Create a conditional access policy and target the apps you want and the group of phase 1 for example and in the grant option select Require authentication strength that you created
is that way you are asking the users to user Microsoft authenticator push notification or password code to validate their MFA . make sure to exclude from any other policy for MFA
Please click Mark as Best Response & Like if my post helped you to solve your issue. This will help others to find the correct solution easily.
Hi @eliekarkafy, i'm a colleague of @StephanGee,
I tried what you provided and it seems to work for existing SMS user(in scope),
but if you create a CA for a specific app with "Password + MS Authenticator (Push Notification) for all users (including users that already use MFA with MS App)
existing MFA App users gets the following error:
it should be this: A user is asked to sign in with another method, but they don't see a method they expect
it would be a pain to manually track SMS users and add them to a group /remove them if initial MFA App registration is done.
If this is correct, sadly "Authentication strength" isn't a solution for our scenario.
Hopefully I'm wrong. ;)
Do you have any tipps regarding this?
Thanks a lot.
Regards Patrick
Try to use the below default combination that include all the MFA options. Well, the transition phase will take time and we cant avoid some manual work I know but we have to deal with it.
please let me know if its work
sadly not, because the built-in "Multifactor authentication" includes SMS:
so everything works like before.
@PatrickEl Well, I think for the time being you have to use the method I suggested before. but there is a way to identify the users with SMS by navigating to usage and insights in Azure Active Directory where you can filter and download the list.
