Regions requiring opt-in for SMS verification (preview)

Applies to: White circle with a gray X symbol. Workforce tenants Green circle with a white check mark symbol. External tenants (learn more)

To safeguard against telephony fraud, Microsoft disallows traffic from certain phone number country codes. Doing so helps prevent unauthorized access and protect customers from fraudulent activities such as International Revenue Share Fraud (IRSF). With IRSF, criminals gain unauthorized access to a network and divert traffic to premium rate numbers, resulting in exorbitant charges and making it harder for your customers to access your services. Learn more.

When a country code is blocked, customers trying to set up SMS verification for multifactor authentication (MFA) for your application might encounter the message "Try another verification method." To resolve this issue, you can activate telephony traffic for the specific country code for your application.

You can use the Microsoft Graph API onPhoneMethodLoadStart event policy to manage telephony traffic for apps in your external tenant. With this event policy, you can activate or deactivate country codes for specific countries and regions.

Important

This feature is currently in preview. See the Universal License Terms for Online Services for legal terms that apply to Azure features and services that are in beta, preview, or otherwise not generally available.

Country codes requiring opt-in

Starting January 2025, the following country codes will be deactivated by default for SMS verification. If you want to allow traffic from deactivated regions, you need to activate them using the onPhoneMethodLoadStartevent policy.

Table 1. SMS verification country codes requiring opt-in

Country code Region Name
93 Afghanistan
213 Algeria
244 Angola
374 Armenia
994 Azerbaijan
880 Bangladesh
375 Belarus
501 Belize
229 Benin
975 Bhutan
591 Bolivia
387 Bosnia and Herzegovina
359 Bulgaria
226 Burkina Faso
257 Burundi
855 Cambodia
237 Cameroon
238 Cape Verde
235 Central African Republic
269 Comoros
243 Congo (Democratic Republic of the)
242 Congo (Republic of the)
225 Côte d'Ivoire
385 Croatia
53 Cuba
253 Djibouti
593 Ecuador
20 Egypt
503 El Salvador
291 Eritrea
251 Ethiopia
679 Fiji
689 French Polynesia
241 Gabon
220 Gambia
995 Georgia
233 Ghana
590 Guadeloupe
502 Guatemala
224 Guinea
245 Guinea-Bissau
592 Guyana
509 Haiti
62 Indonesia
98 Iran
964 Iraq
1876 Jamaica
962 Jordan
254 Kenya
686 Kiribati
383 Kosovo
965 Kuwait
996 Kyrgyzstan
961 Lebanon
266 Lesotho
231 Liberia
218 Libya
261 Madagascar
265 Malawi
223 Mali
222 Mauritania
230 Mauritius
262 Mayotte
691 Micronesia
373 Moldova
976 Mongolia
212 Morocco
258 Mozambique
95 Myanmar
977 Nepal
687 New Caledonia
505 Nicaragua
227 Niger
234 Nigeria
968 Oman
92 Pakistan
970 Palestinian Authority
675 Papua New Guinea
63 Philippines
974 Qatar
7 Russia, Kazakhstan
250 Rwanda
290 Saint Helena
508 Saint Pierre and Miquelon
1784 Saint Vincent and the Grenadines
685 Samoa
377 San Marino
966 Saudi Arabia
221 Senegal
232 Sierra Leone
1721 Sint Maarten
386 Slovenia
252 Somalia
211 South Sudan
94 Sri Lanka
249 Sudan
963 Syria
992 Tajikistan
255 Tanzania
670 Timor-Leste
672 Timor-Leste
228 Togo
690 Tonga
216 Tunisia
993 Turkmenistan
256 Uganda
380 Ukraine
971 United Arab Emirates
998 Uzbekistan
678 Vanuatu
84 Vietnam
967 Yemen
260 Zambia
263 Zimbabwe

Manage telecom for regions with Microsoft Graph

Use the OnPhoneMethodLoadStartExternalUsersAuthHandler event policy to activate or deactivate country codes.

Table 2. Properties of OnPhoneMethodLoadStartExternalUsersAuthHandler

Property Description
DefaultRegions A string of comma-separated country codes where telephony service is enabled by default. Read-only.
IncludeAdditionalRegions A string of comma-separated country codes to enable for telephony service in addition to default country codes. Codes are validated against current International Subscriber Dialing (ISD) country codes, where max length is 4. The same code can't be specified in both IncludeAdditionalRegions and in ExcludeRegions.
ExcludeRegions A string of comma-separated country codes to disable for telephony service. Codes are validated against current ISD country codes, where max length is 4. The same code can't be specified in both IncludeAdditionalRegions and in ExcludeRegions.

How to activate telecom for regions

To enable telephony traffic from currently deactivated country codes, use the Microsoft Graph API to set the includeAdditionalRegions property in the onPhoneMethodLoadStart event policy for one or more applications. Include the relevant country codes in the includeAdditionalRegions property of the API request body for the regions you want to activate. For example, to send SMS requests in South Asia, activate the numeric country codes for the five countries within that region.

Example REST APIs

POST https://graph.microsoft.com/v1.0/identity/authenticationEventListeners  
{  
    "@odata.type": "#microsoft.graph.onPhoneMethodLoadStartListener",  
    "conditions": {  
        "applications": {  
            "includeApplications": [  
                "3dfff01b-0afb-4a07-967f-d1ccbd81102a"  
            ]  
        }  
    },  
    "priority": 500,  
    "handler": {  
        "@odata.type": "#microsoft.graph.onPhoneMethodLoadStartExternalUsersAuthHandler", 
        /* An Admin can state the country codes they would like to opt in or opt out from. */ 
        { 
                "includeAdditionalRegions": [222, 998], 
                 "excludeRegions": [] 
      } 
} 

HTTP/1.1 201 Created 
{ 
    "@odata.context": "https://microsoft.graph.microsoft.com/v1.0/$metadata#identity/authenticationEventListeners/$entity", 
    "@odata.type": "#microsoft.graph.onPhoneMethodLoadStartListener", 
    "id": "2be3336b-e3b4-44f3-9128-b6fd9ad39bb8", 
    "conditions": {  
        "applications": { 
            "includeApplications": [  
                "3dfff01b-0afb-4a07-967f-d1ccbd81102a"  
            ] 
        }   
    },   
    "handler": 
    {   
        "@odata.type": "#microsoft.graph.onPhoneMethodLoadStartExternalUsersAuthHandler ",  
        { 
            "includeAdditionalRegions": [222, 998], 
            "excludeRegions": [] 
        }, 
    } 
} 

How to deactivate telecom for regions

If you want to disable fraudulent requests coming from a region, you can deactivate the country codes using the excludeRegions property in the onPhoneMethodLoadStart policy.

For example, if an External ID application detects a high volume of nonverification SMS messages from a specific country code, you can deactivate telecom in that region. To do so, place the country code in the excludeRegions list.

Example REST APIs

POST https://graph.microsoft.com/v1.0/identity/authenticationEventListeners  
{  
    "@odata.type": "#microsoft.graph.onPhoneMethodLoadStartListener",  
    "conditions": {  
        "applications": {  
            "includeApplications": [  
                "3dfff01b-0afb-4a07-967f-d1ccbd81102a"  
            ]  
        }  
    },  
    "priority": 500,  
    "handler": {  
        "@odata.type": "#microsoft.graph.onPhoneMethodLoadStartExternalUsersAuthHandler", 
        /* An Admin can state the country codes they would like to opt in or opt out from. */ 
        { 
                "includeAdditionalRegions": [222, 998], 
                 "excludeRegions": [1001, 99, 777] 
      } 
} 

HTTP/1.1 201 Created 
{ 
    "@odata.context": "https://microsoft.graph.microsoft.com/v1.0/$metadata#identity/authenticationEventListeners/$entity", 
    "@odata.type": "#microsoft.graph.onPhoneMethodLoadStartListener", 
    "id": "2be3336b-e3b4-44f3-9128-b6fd9ad39bb8", 
    "conditions": {  
        "applications": { 
            "includeApplications": [  
                "3dfff01b-0afb-4a07-967f-d1ccbd81102a"  
            ] 
        }   
    },   
    "handler": 
    {   
        "@odata.type": "#microsoft.graph.onPhoneMethodLoadStartExternalUsersAuthHandler ",  
        { 
            "includeAdditionalRegions": [222, 998], 
            "excludeRegions": [] 
        }, 
    } 
}  

Next steps