I'm struggling to enforce the use of the Microsoft Authenticator app for multi-factor authentication instead of allowing users to register their phone numbers. Our goal is to eliminate phone number registration completely. We've set up a conditional access policy that specifies we require Password + Microsoft Authenticator (Push Notification) for authentication strength. However, I keep encountering an Error Code 53003. The logs show that the failure occurs because users cannot satisfy the authentication strength when not permitted to use any acceptable methods. We currently have legacy authentication methods disabled and we understand that users need to register for MFA, but we're looking for a way to ensure they only use the Authenticator App. Any thoughts on what might be going wrong? For context, we're operating in a hybrid environment with an On-Prem Active Directory and can only manage password changes on-prem. Thanks!
3 Answers
Have you checked your Authentication Methods to ensure that Microsoft Authenticator and Software OAUTH are both allowed? I’ve seen others have issues where they needed to enable OAUTH alongside Microsoft Authenticator to avoid errors like the one you're facing. Also, are you fully migrated to the new system?
Your users might still need to register a phone number or home email for account recovery purposes. Maybe let them do that first, then enforce the use of the Microsoft Authenticator through your conditional access policy. Also, check if those users are SSPR capable, as that could be part of the issue.
Did you consider disabling SMS and other unused authentication methods? You can manage this from Entra to streamline your options. Just bear in mind that this can affect self-service password reset (SSPR) functionality if you decide to disable too much. It might also help to create a temporary group just for those needing to keep some methods enabled for now.
Related Questions
Can't Load PhpMyadmin On After Server Update
Redirect www to non-www in Apache Conf
How To Check If Your SSL Cert Is SHA 1
Windows TrackPad Gestures