How to stop EntraID from asking users to add the Microsoft Authenticator App

Question

I have a conditional access policy set up with an authentication strength that has:

Password + Microsoft Authenticator (Push Notification)

OR

Password + SMS

It still insists on users who have SMS set up to set up the Microsoft Authenticator. I have to allow some users to use SMS because they don't have smart phones.

How can I get it to stop trying to upsell them on the Microsoft Authenticator and just be happy with SMS?

Answer 1

Hello @Paul Lethin,

Thanks for reaching out to Microsoft Q&A. 

To prevent users who are configured to use SMS from being prompted to set up the Microsoft Authenticator app, you can adjust your Conditional Access policy and Authentication Strength settings. Here's a step-by-step guide:

1. Review Authentication Strength Configuration

• Ensure your Authentication Strength explicitly allows both:
  • Password + SMS
  • Password + Microsoft Authenticator (Push Notification)
• Navigate to Azure AD > Security > Authentication Methods > Authentication Strength.
• Verify that the selected strength includes SMS as a valid option without prioritizing other methods.

2. Split Conditional Access Policies by User Groups

Conditional Access policies can target specific groups. To avoid prompting SMS-only users for the Microsoft Authenticator app:

1. Create a separate group for users who are limited to SMS (e.g., SMS_Only_Users).
2. Duplicate the Conditional Access policy and modify it to:
   • Apply only to the SMS_Only_Users group.
   • Use an Authentication Strength that includes Password + SMS without Password + Microsoft Authenticator.
3. Ensure Method Availability in Authentication Methods Policy

• Navigate to Azure AD > Security > Authentication Methods.
• Confirm that Microsoft Authenticator is not required for the SMS_Only_Users group.
• Set up authentication methods policies to ensure SMS is available and no conflicting configurations are forcing additional methods for these users.

4. Check Exclusions in the Conditional Access Policy

In the original Conditional Access policy, you can:

• Add an exclusion for the SMS_Only_Users group to avoid prompting them for Microsoft Authenticator.

5. Test the Configuration

• Use a test user account that is part of the SMS_Only_Users group.
• Ensure they can log in with Password + SMS without being prompted for Microsoft Authenticator.

Please reach out to me if you need further assistance.

Siri

Answer 2

Hello @Tom McKenna,

Thank you for reaching out to Microsoft Q&A.

We understand that you have configured a Conditional Access policy with authentication strengths that include:

• Password + Microsoft Authenticator (Push Notification)
  OR
• Password + SMS

This setup should allow some users to authenticate via SMS, while others can use Microsoft Authenticator, but it seems that the policy is not functioning as expected.

To investigate, we replicated the same policy with a similar configuration and observed that it worked correctly. Below are the steps and setup we used to achieve the desired behavior:

1. We created a Conditional Access policy that included authentication strengths with a user assigned to Microsoft Authenticator and a separate group assigned to SMS.
2. We then excluded the SMS user group from Microsoft Authenticator under the security settings: Azure AD > Security > Authentication Methods > Microsoft Authenticator.
3. Since the respective authentication methods were already configured for the users, they were prompted to complete the MFA as specified in the policy.

Please ensure that you exclude the SMS user group as described above and verify that Microsoft Authenticator is enabled for all users. With these adjustments, the policy should function as expected.

Hope this helps. Do let us know if you any further queries.

Best Regards

Janaki Kota

---

If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.