Forum Discussion
Solved
Phase out text message / SMS for MFA (no hard break)
Hi everyone, is it possible to phase out SMS in rings? We still have too many users using text message as their first auth method. We are "nudging" and we are sending campaings "how to change", ...
you can run through this scenario .
- Split the users into security groups , group phase 1 , group phase 2 , etc
- Create an new authentication strength and select only Password + Microsoft authenticator
- Create a conditional access policy and target the apps you want and the group of phase 1 for example and in the grant option select Require authentication strength that you created
is that way you are asking the users to user Microsoft authenticator push notification or password code to validate their MFA . make sure to exclude from any other policy for MFA
Please click Mark as Best Response & Like if my post helped you to solve your issue. This will help others to find the correct solution easily.
We are using conditional access
you can run through this scenario .
- Split the users into security groups , group phase 1 , group phase 2 , etc
- Create an new authentication strength and select only Password + Microsoft authenticator
- Create a conditional access policy and target the apps you want and the group of phase 1 for example and in the grant option select Require authentication strength that you created
is that way you are asking the users to user Microsoft authenticator push notification or password code to validate their MFA . make sure to exclude from any other policy for MFA
Please click Mark as Best Response & Like if my post helped you to solve your issue. This will help others to find the correct solution easily.
- Thank you. I have read about the new feature on Twitter but had no time to look into it. Exactly what we are looking for! Thanks for pointing that out.
- I am glad that this will help you with your MFA migration. keep me posted for any further assistance.
Hi eliekarkafy, i'm a colleague of StephanGee,
I tried what you provided and it seems to work for existing SMS user(in scope),
but if you create a CA for a specific app with "Password + MS Authenticator (Push Notification) for all users (including users that already use MFA with MS App)
existing MFA App users gets the following error:
it should be this: A user is asked to sign in with another method, but they don't see a method they expect
it would be a pain to manually track SMS users and add them to a group /remove them if initial MFA App registration is done.
If this is correct, sadly "Authentication strength" isn't a solution for our scenario.
Hopefully I'm wrong. 😉
Do you have any tipps regarding this?
Thanks a lot.
Regards Patrick
