Disable all phone and text options for MFA

Impact of Removing SMS As an MFA Method In Azure AD

Posted on Posted in 2FA, Azure Active Directory, Azure AD, MFA, security, self-service password reset, smartphone, sms, text message

There are a number of general recommendations that SMS (text messages) as an MFA method is not a good idea (mainly to do with the ease of porting or moving devices the number is associated with). You should always be looking at MFA with an app (Microsoft Authenticator or other) or hardware device. But the default in Azure AD is to include SMS as an option – so if we turn off text messaging as a second factor what is the impact to our user base who might have already registered their phone number.

My previous article on MFA end user experiences covered the different options available for the different registration wizards (legacy and the new combined MFA/SSPR wizard), what happens if you have SSPR enabled (and what happens if you do not). Each of the scenarios in that article allowed the user to register a phone number and then to have a text message sent at login.

If the user registered with the legacy authentication wizard (which is the default setting as of the time of writing) then there are three options by default – authentication phone, office number (set by the admin and not by the user) and mobile app (and phone is the selected option). Using SMS for second factor is therefore automatically set up unless the user chooses “office number” or “mobile app” whilst registering. The registration page looks as follows:

Legacy Auth for MFA with Phone Selected

So in scenarios where the user followed the defaults they get an MFA prompt at login that looks like this:

MFA via Phonecall dialog

Notice that they have an option to “sign in another way” for scenarios where the user maybe cannot receive a phone call but would be able to receive a text message (if you are in a location where you can receive neither, then you need to register the app as well in advance). If the user clicks “sign in another way” then they see the following where they can choose to receive a text message as the second factor proof:

Second factor proof select phone or text

To disable SMS/text as an MFA method you need to be in the Azure AD portal > MFA > Additional cloud-based MFA settings (or click Multi-Factor Authentication in the Users page of the same portal). You will see the below once you click the Service Settings tab:

Classic MFA Service Settings

This dialog includes the “skip multi-factor authentication…” box which you only have if you have Azure AD P1 or P2 licence. The four options at the bottom include the “Text message to phone” – uncheck that to stop SMS as a second factor.

So if SMS/text is removed as an option – what changes for the users who has already got a phone number stored as a MFA method? First change is that “sign in another way” message is now missing. A user who previously got a phone call with the option to change to another option will find that they cannot change options anymore (unless they have also registered a different method such as office number or mobile app:

MFA by Phone with SMS disabled

Therefore if there is not enough mobile signal to manage a call (and there might be for a text message) then the user cannot authenticate.

What about users who when they registered for MFA set SMS as their default? Setting text message as a default is not a obvious setting – but the default is whatever you initially choose to register with – so in the registration wizard if you select “send me a code by text message” then your default is SMS:

SMS as default MFA method

Once the admin disables SMS as a valid second factor, those users with phone as their default (or app) are not impacted – but users who set text message as their default are required to re-register. In the registration they are told their organization needs further information, that “call me” is the only available option, but their previously registered telephone number is shown in the registration wizard. This is shown in the following series of images:

More information required
Registration for MFA - Call only as a phone option
Registration for MFA steps
Registration for MFA steps 2

Once the users settings are saved, the user clicks Finish and their registration for phone authentication is updated to remove text message as a valid option. Enabling texts again in the admin portal does not allow this user to use texts again unless they register again or they update their additional security verification settings (Office 365 browser app > click photo > My account > Manage security & privacy > Additional security verification > Update your phone numbers used for account security (go to https://aka.ms/mfasetup as a shortcut to avoid all these steps)

If you remove both phone and text as a registration option as shown then users who previously only had phone and/or text registered will be required to register again.

Disable all phone and text options for MFA

This time registration will default to “mobile app” – where the user can select “code” or “notification” as their new default:

MFA Registration - phone and text disabled

In scenarios where you have enabled the new registration wizard (see my previous article on MFA end user experiences for more on this) then the default registration option is to use the app and not phone or text, though phone numbers are collected if you also turn on two or more options for requiring a password reset with SSPR. So in these scenarios you will probably find that the user has lots of registered options and so turning off SMS is not an issue.

So to disable SMS is only a problem in Azure AD for the user – as it means that at the next login they need to register again (so not a real problem). I had previously seen in 2018 that if the admin disabled text messages then users could not login if this was their only method! So that issue is clearly fixed now.

So as a call to action from this article – consider turning off text messages as a second factor and noting that the only impact is some users will either need to register again or you can ask them to go to https://aka.ms/mfasetup beforehand to change their default setting.

3 thoughts on “Impact of Removing SMS As an MFA Method In Azure AD

  1. It’s a pity “Insights – Authentication methods registration details” doesn’t give you a report on the users that are using SMS as their default. It only says: “Mobile phone, App notification, App code” for example for a user that is using SMS, then Authenticator app on his phone. So the Mobile phone option could be used for SMS and/or Call but the default is not reflected in the Insights report.

  2. Without doubt SMS is the weakest yet most popular second factor out there and any option to replace it should be considered.

    Hardware tokens, fido keys and mobile apps are probably the best alternatives, but if it’s a choice of 2FA via SMS vs no 2FA then clearly 2FA with SMS is still a better option and I guess currently the cost factor is the main driving force.

Leave a Reply to Brian Reid Cancel reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.