Office 365 is demanding the Authenticator App for system administrators.
Office 365 is demanding the Authenticator App for system administrators.
For fellow Microsoft admins, I see others facing challenges with forced MFA on Exchange Online or kiosk users, even when SMS/call MFA is already active in the admin center. Previously, Microsoft suggested skipping this step for Business Standard licenses, but now it applies to Outlook-only type licenses as well. This has occurred across multiple accounts, all with basic Outlook licenses, and it persists even when MFA is turned off there. After signing back in, the system still prompts for MFA via authenticator app. Some users disable the authenticator after adding it, only to be re-asked if they use an app. They’re frustrated because they don’t want another app on their phone and are paying extra per license—especially since this isn’t clearly marked as optional anymore. I’m trying to figure out when this requirement was officially announced and which licenses are impacted. I’d prefer not to open a support ticket with Microsoft, so I’m hoping someone in the community has encountered or knows about this change. My main concern is how licensing rules might evolve and whether this extra step will become mandatory for all users.
Securing Azure Active Directory with Microsoft Entra offers enhanced admin capabilities compared to the standard admin.microsoft.com. This change reflects a recent rebranding effort. Azure AD is now known as Microsoft Entra ID, and the Microsoft Entra Identity Developer Blog provides further details.
We observed the same issue with several users across our platform. Fortunately, half of our team members in a particular department use a physical key called a "dongle" that produces a 2-factor code for entry. The remaining users have a Yubikey assigned to them. It seems that as long as the primary method isn't text or call-based, Microsoft supports it for 2FA. Honestly, I think the authenticator app offers the simplest login experience. While I acknowledge some users might resist, encouraging adoption would help avoid future reliance on physical devices. This approach is more straightforward than many alternatives. Apologies for the limited details I have right now. I'd love to hear your thoughts or any additional insights you might have.
I understand why convincing others is challenging—even my backup system admin isn’t keen on using it. The feedback I shared came up during our conversation, and it seems the Entra rebrand introduced a new admin portal under that domain that’s quite recent. The guide about disabling 'security defaults' is only a few days old, so much of this is brand new. Examining the guide reveals it was set to default on newer Azure AD accounts, which ours is several years old and might not have had that option enabled. Since the rebrand happened recently, it’s possible the setting was applied when the account moved. Most folks in the company likely prefer avoiding this requirement, though I’m unsure if it’s secure long-term. Personally, I don’t see much impact over time given our scale, but it feels like a trade-off between ease and safety.