Connect with experts and redefine what’s possible at work – join us at the Microsoft 365 Community Conference May 6-8. Learn more >

Multifactor Authentication

66 Topics

Global Administrator MFA recovery not possible
Since Microsoft automatically enforced MFA on administrator role in Azure you can end up in the situation where it is no longer possible to recover your tenant. If your only account on that tenant is with Global Administrator role and you accidentally loose your MFA, the only way is to call Microsoft support. Support on the phone is automated where any question regarding Azure is redirected to visit Azure portal. If your only user cannot login then Azure portal is not accessible.
RobertasSim
Mar 08, 2025 Place Microsoft Security
68Views
1like
1Comment
Authenticator not displaying numbers on MacOS
I'm have an issue with MFA on a Mac (all the latest versions). We have conditional access policies in place, so once a day I'm prompted for MFA (I work off-site) and the Office app (e.g. Outlook, Teams) will create the pop-up window that 'should' display a number that I then match on my phone. My phone see's the push notification, but the Mac never creates the numbers in the first place. The pop-up is there, just no number. The workaround is: Answer 'its not me' on the phone On the Mac, select 'I can't use Authenticator right now' Tell the Mac to send a new request This time it creates the number and I can authenticate on the phone. It only appears to happen for the installed Office applications i.e. if I'm accessing applications/admin-centre via the browser, then the pop-up is within the browser and everything works first time. Is this a known issue?
Scott2000
Jan 28, 2025 Place Microsoft Security
226Views
1like
2Comments
passwordless together with MFA
edit: was an issue using edge under linux which has now support for FIDO2 tokens. you need to use chrome, when login into azure using a linux client. Hi, we are running a CA which enforces MFA through MS-Authenticator App for all users. We would like to set up an alternative way through FIDO2 tokens (passwordless). We still do have users without smart-devices and we also want a soft way for migration. Right now the passwordless login fails because the CA enforces MFA for all users. Is there a way to solve this problem? Or do we have to choose for one to authenticate way for all users? My first idea is to configure the CA so it excludes certain users from the policy? Make a group for passwordless users and exclude them from MFA. Is this the way to go or are there better solutions? Would it be possible to generate this group dynamically for all the users with at least one FIDO2 token in their authentication methods? Or would this idea mean that we have to set this group manually? What are the consequences if an user has MFA and FIDO2 within its authentication methods? Thanks for any answers and any solution. Cheers Sebastian
Solved
Sebastian_Rottmann
Oct 15, 2024 Place Microsoft Security
3.8KViews
0likes
8Comments
Problem with multi-factor authentication
Hello, I am a registered and active Microsoft Partner with ID 1822164. I have two-factor authentication through the Authenticator app on my mobile phone. The phone is currently down and I can't log into partner.microsoft.com. I have a new phone with Authenticator installed but I can't make any changes to the account. I can provide any necessary identification information, my name and password are valid. Where can I request to turn off two-factor authentication to sign in and add my new phone?
Metodi_Lichkov
Oct 03, 2024 Place Microsoft Security
202Views
0likes
0Comments
Enable Windows Hello in Hybrid Environment
Hi all, we are planning to enable Windows hello for our hybrid ad joined devices. I have below questions around it before proceed with it. appreciate anyone's help. Does certificate or Cloud Kerberos configurations is a must thing? Can't we enable Windows-Hello from Microsoft Intune like we do for Azure AD standalone devices. Do we need to consider anything important if we go forward with Cloud Kerberos configurations (it seems this is the only method we don't need certificate). Because we have around 20+ domain controllers in our environment, including RODCs. Can I please have Pros and Cons of enabling Windows Hello for Hybrid environment? Thanks in advance! Dilan
Solved
dilanmic
Sep 10, 2024 Place Microsoft Security
5.7KViews
0likes
6Comments
Whenever login into the office applications different OTP needs to be applied Outlook and teams
When signing into Office applications, a different OTP is required for both Outlook and Teams. To address this issue, there is any resolution this issue supports or a supporting document as proof to confirm that this is a standard procedure.
danielh
Aug 14, 2024 Place Microsoft Security
429Views
0likes
1Comment
Using CBA with a device certificate on Windows Server
Hi, will it be possible to use CBA as "filter for devices" some day? e.g. A Windows Server which is not hybrid joined or managed by Intune could then be identified as a "valid device" which is allowed to access Admin portal. Like a RADIUS Auth. BR Stephan
StephanGee
Aug 05, 2024 Place Microsoft Security
356Views
0likes
2Comments
Phase out text message / SMS for MFA (no hard break)
Hi everyone, is it possible to phase out SMS in rings? We still have too many users using text message as their first auth method. We are "nudging" and we are sending campaings "how to change", but we want to get the last ones to change. Is there any way to just restrict the usage of SMS in ring - so the first ring is 500 employees. The next one 1000 etc. Instead of just switching it to off? We would expect a high amount of service desk calls if we just switch it off. Best regards Stephan
Solved
StephanGee
Jul 10, 2024 Place Microsoft Security
4.5KViews
1like
11Comments
Virtual Smart Card for Application 2FA
Is it possible to use VSC's for application 2FA? My understanding is that operating system sign-in is relatively straight forward (although there's no option to use username/ password with the VSC, only PIN). Create the certificate template Create the TPM virtual smart card using tpmvscmgr.exe Enrol for the certificate on the TPM Virtual Smart Card
Andrew Cliff
Jun 12, 2024 Place Microsoft Security
295Views
0likes
0Comments
[Question] Authenticating users with their Mifare 1k Badge
Hello everyone! I am writing here because I need advice, after searching online for a while without finding any inputs that could help me realize what I have in mind. Basically, our employees all have a Mifare Classic 1k badge that they use to register their presence in the morning. Some of them have access to a PC, and we would like to migrate the login method from a classic username&password to something passwordless and more secure. Since we already have a ton of Mifare Classic 1k contactless cards, we were wondering if they could be used like "smart cards", to store user certificates or credentials, or something like that, so that users can log into Windows with those. I have been reading Microsoft's documentation about Custom Credential Providers, and I am starting to think that unless we want to change our whole presence detection system, that would be the way to go. Should we develop our own Credential Provider? Is there another way to achieve something like that while maintaining the existing infrastructure? If that is not the case, may I ask how would you face this challenge? If there is absolutely no way to use our current technology, could you please suggest an alternative to achieve the same result? Thanks for taking the time to read this post, have a nice day! Dennis
dennispreatto
Apr 10, 2024 Place Microsoft Security
2KViews
0likes
1Comment