Phase out text message / SMS for MFA (no hard break)

Regular Contributor

Hi everyone,


is it possible to phase out SMS in rings? We still have too many users using text message as their first auth method.

We are "nudging" and we are sending campaings "how to change", but we want to get the last ones to change.

Is there any way to just restrict the usage of SMS in ring - so the first ring is 500 employees. The next one 1000 etc. Instead of just switching it to off? We would expect a high amount of service desk calls if we just switch it off.


Best regards



10 Replies
which MFA currently you are using the MFA through conditional access policy or the per user MFA ?
We are using conditional access
best response confirmed by StephanGee (Regular Contributor)


you can run through this scenario .  

  1. Split the users into security groups , group phase 1 , group phase 2 , etc 
  2. Create an new authentication strength  and select only Password + Microsoft authenticator   




  3. Create a conditional access policy and target the apps you want and the group of phase 1 for example and in the grant option select Require authentication strength that you created 


    is that way you are asking the users to user Microsoft authenticator push notification or password code to validate their MFA . make sure to exclude from any other policy for MFA 



Please click Mark as Best Response & Like if my post helped you to solve your issue. This will help others to find the correct solution easily.

Thank you. I have read about the new feature on Twitter but had no time to look into it. Exactly what we are looking for! Thanks for pointing that out.
I am glad that this will help you with your MFA migration. keep me posted for any further assistance.

Hi @eliekarkafy, i'm a colleague of @StephanGee,

I tried what you provided and it seems to work for existing SMS user(in scope),

but if you create a CA for a specific app with "Password + MS Authenticator (Push Notification) for all users (including users that already use MFA with MS App)

existing MFA App users gets the following error:



it should be this: A user is asked to sign in with another method, but they don't see a method they expect 

it would be a pain to manually track SMS users and add them to a group /remove them if initial MFA App registration is done.


If this is correct, sadly "Authentication strength" isn't a solution for our scenario.

Hopefully I'm wrong. ;)

Do you have any tipps regarding this?

Thanks a lot.

Regards Patrick


Try to use the below default combination that include all the MFA options. Well, the transition phase will take time and we cant avoid some manual work I know but we have to deal with it. 




please let me know if its work 


sadly not, because the built-in "Multifactor authentication" includes SMS:


so everything works like before.


@PatrickEl Well, I think for the time being you have to use the method I suggested before. but there is a way to identify the users with SMS by navigating to usage and insights in Azure Active Directory where you can filter and download the list.





Have you tried excluding some users from the SMS Authentication Method Policy?