Azure MFA – How to Change Microsoft Azure MFA from ‘Enter Code’ to ‘Approve Request’

authenticationazureazure-mfamicrosoft-office-365

We have a M365 tenant with MFA enforced for all users.

We can use either text message (SMS) or Microsoft Authenticator app on smartphone with a Time Based code (6 digit TOTP code).

We would like for some users to have the MFA set to "approval" mode.
I.E. when the user try to login, the MS Authenticator ask the user to approve the sign-in request and the user simply need to push on the 'approve' button.

How can we configure this?

Note: we are aware this may be less secure and some users will simply approve any request even if they are not the originator. This is to be set up for very specific users which we trust to use this feature correctly.

Best Answer

You need to Enable passwordless phone sign-in authentication methods

To enable the authentication method for passwordless phone sign-in, complete the following steps:

Sign in to the Azure portal with an Authentication Policy Administrator account.
Search for and select Azure Active Directory, then browse to Security > Authentication methods > Policies.
Under Microsoft Authenticator, choose the following options:

a. Enable - Yes or No

b. Target - All users or Select users
Each added group or user is enabled by default to use Microsoft Authenticator in both passwordless and push notification modes ("Any" mode). To change the mode, for each row for Authentication mode - choose Any, or Passwordless. Choosing Push prevents the use of the passwordless phone sign-in credential.
To apply the new policy, click Save.

Hope this helps!

Related Solutions

Resource calendar with approval sending approval emails with “No response required”

If you want to approve/reject appointments, the users need to be submitting Meeting Requests to the calendar.

Since the room is automatically approving requests, there may be a settings conflict.

I recommend you check out settings using Get-CalendarProcessing -Identity resourcecalendar | FL. You may find some properties misconfigured. Possibilities include:

TentativePendingApproval          
AllBookInPolicy                     
AllRequestInPolicy
RemoveForwardedMeetingNotifications

If you want to include the output of the Get-CalendarProcessing command above for this mailbox it might help.

microsoft-office-365 – Fixing OWA Error ‘OpenIdConnectIdpException’

Following my comments with @maweeras, I reconfigured Azure AD Connect changing the user sign-in mode from pass-through authentication (we didn't need it) to password hash synchronization which immediately resolved the problem.

Update: 2018/08/01 15:00

This morning, out of curiosity, I reconfigured Azure AD Connect changing the user sign-in mode from password hash synchronization back to pass-through authentication which completed with the following status message:

Pass-through Authentication was successfully enabled, but it appears your network may be blocking certain ports required by the feature to function correctly. We detected the following ports might be blocked on your network: 443

As advised by https://social.msdn.microsoft.com/Forums/en-US/81673e69-1220-4231-a9c0-0753f4aa3455/azure-ad-connect-443-may-be-blocked?forum=WindowsAzureAD, on the server, I browsed to https://aadap-portcheck.connectorporttest.msappproxy.net/ which loaded fine and all tests passed.

In any case, I’m now able to sign-in to Office 365 using the same affected Office 365 user accounts so I don’t know what the original problem was.

Best Answer

Related Solutions

Resource calendar with approval sending approval emails with “No response required”

microsoft-office-365 – Fixing OWA Error ‘OpenIdConnectIdpException’

Related Topic