How to change Microsoft Azure MFA from "enter code" to "approve request"

JFL

12/13/23, 5:15 PM

We have a M365 tenant with MFA enforced for all users.

We can use either text message (SMS) or Microsoft Authenticator app on smartphone with a Time Based code (6 digit TOTP code).

We would like for some users to have the MFA set to "approval" mode. I.E. when the user try to login, the MS Authenticator ask the user to approve the sign-in request and the user simply need to push on the 'approve' button.

How can we configure this?

Note: we are aware this may be less secure and some users will simply approve any request even if they are not the originator. This is to be set up for very specific users which we trust to use this feature correctly.

626

1 + 0

authentication

azure

microsoft-office-365

azure-mfa

Score:1

Server

SoySolisCarlos

12/14/23, 1:18 PM

You need to Enable passwordless phone sign-in authentication methods

To enable the authentication method for passwordless phone sign-in, complete the following steps:

Sign in to the Azure portal with an Authentication Policy Administrator account.
Search for and select Azure Active Directory, then browse to Security > Authentication methods > Policies.
Under Microsoft Authenticator, choose the following options:

a. Enable - Yes or No

b. Target - All users or Select users
Each added group or user is enabled by default to use Microsoft Authenticator in both passwordless and push notification modes ("Any" mode). To change the mode, for each row for Authentication mode - choose Any, or Passwordless. Choosing Push prevents the use of the passwordless phone sign-in credential.
To apply the new policy, click Save.

Hope this helps!

+ 2

JFL

12/14/23, 3:20 PM

Yes it works. Thanks. Only thing is, when trying to sign in, it ask for a TOTP and you have to clik on the small link after "Having trouble"; "Sign in another way" and the you can send the push notification. We will also test the passwordless method.

JFL

12/14/23, 3:33 PM

Regarding the issue in my previous comment, I figured it. The user must connect to https://mysignins.microsoft.com/security-info and change its default sign-in method.

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: How to change Microsoft Azure MFA from "enter code" to "approve request"

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.