Disabling authentication methods in Entra having no effect
Fairly new to MS365 here and we’re trying to restrict which MFA methods our users can use. We want our users to be able to either use the Authenticator app or a FIDO2 key depending on their role, in addition to a TAP to do the initial login.
We’re testing disabling various methods via the Authentication methods page in Entra. As a representative test we set TAP to disabled and it gave an error when I attempted to issue a TAP for a user via the user’s Authentication methods page in Intune.
However we don’t get consistent results with other auth methods: Authenticator, Security key (FIDO2) and SMS. I put a specific group in the ‘Enable and target’ > ‘Exclude’ section for all 3 and was still able to configure Authenticator and a phone for SMS. When viewing the methods configured for the user, only the security key was listed under ‘unusable methods’; hence the policies for Authenticator and SMS appear to have no effect. Similar tests with just one auth method yield the same result.
Is there something we’re doing or understanding wrongly about how these policies work?
Fairly new to MS365 here and we’re trying to restrict which MFA methods our users can use. We want our users to be able to either use the Authenticator app or a FIDO2 key depending on their role, in addition to a TAP to do the initial login. We’re testing disabling various methods via the Authentication methods page in Entra. As a representative test we set TAP to disabled and it gave an error when I attempted to issue a TAP for a user via the user’s Authentication methods page in Intune. However we don’t get consistent results with other auth methods: Authenticator, Security key (FIDO2) and SMS. I put a specific group in the ‘Enable and target’ > ‘Exclude’ section for all 3 and was still able to configure Authenticator and a phone for SMS. When viewing the methods configured for the user, only the security key was listed under ‘unusable methods’; hence the policies for Authenticator and SMS appear to have no effect. Similar tests with just one auth method yield the same result. Is there something we’re doing or understanding wrongly about how these policies work? Read More