Admin SSPR Question

Iron Contributor

Hi All


I understand that Azure AD Admin accounts "two-gate policy requires two pieces of authentication data, such as an email addressauthenticator app, or a phone number."


Can the 2 auth pieces be set as auth app and phone number only? No email address.


Info appreciated



1 Reply

@Stuart King 


I don't believe that's possible. While the admin page you reference does mention, as you say, the option to pick 2 of the 3 (I.e. Email address, authenticator app, phone number) I've never actually received the option as an admin user to use an authenticator app for SSPR. It's always been mobile phone number and email.


I did a quick test there on my test tenant and that looks to still be the case. The SSPR policy for administrators can't be modified (the one for users can), so I'm afraid if appears you're stuck with the email address requirement.