Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community

Setting Microsoft Authenticator as default

Brass Contributor

Hello,

We support multiple MFA methods Authenticator app, text, call.

 

Is there a way to set Microsoft Authenticator as the default MFA Method and do not allow users to "delete/remove" it?

7 Replies

@ChristianBergstrom 
Thank you for your response.  I do know how to enable MFA methods. 

We are trying to see if we can "Force Authenticator as a method that cannot be removed." 

When you have multiple options available like authenticator/text/phone call the user can "delete/remove" authenticator and use only text/phone.  
We want to ensure that Authenticator is Always the primary and couple of other options as secondary.

I do not see any documentation to be able to do this.

Well, if you remove the other options under MFA service settings.

From the Preview link.
”Azure AD lets you choose which authentication methods can be used during the sign-in process. Users then register for the methods they'd like to use.”

You can always select the ”Use a password instead” link on the sign-in page to switch back to using your password, and the other way around.

https://docs.microsoft.com/en-us/azure/active-directory/user-help/user-help-auth-app-sign-in

Just adding to this...we allow Autneticator app and SMS (for users without smartphones...yes there are some still). The issue is however when you go through the set up the primary method is SMS and you have to click the dropdown to change to authenticator. We would like to switch it so Authenticator is the primary method and if required the user can click the dropdown to change to SMS.

Is this possible?

@Mondas  Perhaps this will help you in solving or in finding a solution to your problem! https://techcommunity.microsoft.com/t5/microsoft-365-developer-platform/please-add-api-for-set-or-ch... 

@Mondas 

 

exact same problem... despite I advertised in red, in mail, in videos remained twice by mail to select that "mobile application" choice...

every one in the first 50s people we deployed have gone through the mobile phone choice (SMS) and not "mobile application".

As far as they don't consider them selves as engineer, people usally don't make the intellectual effort of understanding the difference, they see "mobile" in the text, that's it !

 

We have set a policy to only allow authentication through the app... but still that **bleep** "mobile phone" text appears in first in the list...

 

Don't know what will happened at the end of the 14 days grace period for them. Or i guess my telephone will be ringing a lot  !

 

The only way round this was to introduce SSPR. If you have SSPR set up when the user is asked for further information the Authenticator App is asked for first, then the mobile phone for verification for SSPR.

As we think SSPR is a good thing the solution works very well and the instructions and screens from MS are much better than just normal MFA screens too. Much more seamless experience.