I'm trying to set up my account to force users to use an Authenticator app for multi-factor authentication (MFA) instead of SMS. My current Conditional Access (CA) policy just requires MFA, which allows both SMS and the app. I created a new CA specifically to use 'Require Authentication Strength' and chose Passwordless MFA for testing. However, I only have SMS enabled on my test account, and when I try to log in, I get an error saying, "Additional sign-in methods are required to access this resource. Contact your administrator to enable these methods." I even considered using the Temporary Access option, but I still faced the same issue. Right now, the only enabled option under Authentication Methods is the Temporary Access Pass. Could this be the problem? How can a user register the authenticator app if they're completely locked out? I thought about creating a temporary group for a bypass, but I'm looking for a better solution.
2 Answers
First, check if users are allowed to use the Authenticator app under the authentication methods. You might want to set up a registration campaign, too. Oh, and try forcing the test user to re-enroll their MFA methods. That might just solve the issue!
Sounds like the app should be enabled since you’re using it through the original CA. If it's not working, consider adding it under Authentication Methods. As for the Registration Campaign, it sounds like it's currently off, but including that test user for the Authenticator app might help. Also, Temporary Access Pass is meant to help users log in once to set up their apps, so it’s a bit odd that it’s not working here. Keep me posted!
Related Questions
How to Build a Custom GPT Journalist That Posts Directly to WordPress
Cloudflare Origin SSL Certificate Setup Guide
How To Effectively Monetize A Site With Ads