Organizations are still using settings in the old PhoneFactor Multi-factor Authentication portal. However, with the new Security Defaults functionality, they may hurt themselves by locking out users, after the 14-day grace period for registering multi-factor authentication expires.
About the PhoneFactor verification options
The old PhoneFactor Multi-factor Authentication portal experience is a remnant of Microsoft acquiring PhoneFactor’s technology for multi-factor authentication. While most of the experience was transferred to the new Azure Portal, some of the settings remain hidden away in a legacy portal, accessible through a link in Security section of Azure Active Directory in the Azure Portal.
One of the settings is the verification options setting:
These options determine the multi-factor authentication methods available to users in the Azure AD tenant.
About Security Defaults
Security Defaults is a relatively new Azure AD feature. As noted in the Release Notes for Azure Active Directory for December 2019, Security Defaults replace the Baseline Policies in Azure AD’s Conditional Access.
Microsoft’s goal with the Security Defaults functionality is to allow organizations without Azure AD Premium subscription licenses to enjoy the Conditional Access recommended practices by:
- Requiring multi-factor authentication for sign-ins by user accounts with admin privileges and user accounts with service owner privileges
- Requiring one-time multi-factor authentication registration for all users within the Azure AD tenant, with a 14-day grace period, and
- Blocking legacy authentication protocols
Per February 2020, new Azure AD tenants are created with Security Defaults turned on. The Security Defaults functionality can be turned on for existing Azure AD tenants and will result in the loss of the Conditional Access functionality.
Multi-factor Authentication using the Microsoft Authenticator App with Security Defaults is free for organizations. Organizations do not require Azure AD Premium licenses for the multi-factor authentication experience in this case.
An organization uses an Azure AD tenant with the Security Defaults feature turned on.
The admin has configured the verification options setting in the old PhoneFactor portal experience to disable the use of:
- Notification through mobile app
When a person who has not yet registered for multi-factor authentication signs in. The Additional information required screen is shown as port of the sign-in experience for the user account. When the person tries to register multi-factor authentication in this case, they receive the following error:
Subsequently, the person cannot register for multi-factor authentication. The sign-in log shows an Interrupted sign-in for the person’s user account.
When the 14-day grace period for MFA registration ends, the person can no longer sign in.
The issue is caused by the fact that Security Defaults default to the Microsoft Authenticator App method using the Notification through mobile app verification option.
As using a different verification option in combination with Security Defaults might push an organization with Azure AD Free subscription licenses into license incompliance, Microsoft opts to show an error screen, instead of the other verification options:
- Call to phone
- Test message to phone
- Verification code from mobile app or hardware token.
The solution is to re-enable the Notification through mobile app verification options in the old PhoneFactor portal experience:
- Start a browser and navigate to the Azure AD Portal.
- Sign in with an account with Global Administrator privileges.
Perform multi-factor authentication when prompted.
- In the left navigation menu, click Azure Active Directory.
- In Azure AD’s navigation menu, click Security.
- In the Security navigation menu, click on MFA under Manage.
- Follow the Additional cloud-based MFA settings link in the main pane.
A new tab or browser window opens.
- In the verification options (learn more) area, select (at least) the following option:
- Notification through mobile app
- Click Save at the bottom of the page.
- Close the browser window.