I had an unusual case that seem to come out of nowhere that seem to involve after people signed in they were being prompted or reminded about Microsoft authenticator.
Obviously, only people with SMS notifications were getting this prompt, People who had already registered for an authentication style application did not get this prompt.
Obviously, the first port of call was conditional access policies being amended, but no, this was not conditional policies whatsoever, this was not in the usual style of conditional access policies, this is what users were getting:
However, what is more confusing is that users were not reporting the screen they were reporting they were getting the option of a QR code, which is 100% authenticator related, When I established a visual of the problem, this is what I was confronted with:
This is exactly the process you need to go through to set up Authenticator, So interestingly, People clicked next to the first dialogue, which I would imagine is a default reaction, And then continue to click next, until they got the QR code.
This is the point where clicking next no longer work successfully, and they need to open their Authenticator app and scan the QR code by adding an account, That would then take them to the next phase of this enrollment, which would be to test the notification which should look like this:
Thrn when you’re authenticator app was successfully enrolled, you would then see the the magical blue finish button as below:
Right, So now it would appear out of the blue users are being asked to register for the Authenticator app without an administrator setting a policy option, obviously, as this process interrupts your logon process, it can be a little confusing, and what’s worse is you can only skip it to three times before it is done enforced.
Why would this all of a sudden start happening?
Interestingly, that is something everyone will have been notified about, but probably ignored, you will have probably at some point before this was enabled got an email like this from Microsoft:
You’re receiving this email because you have a Microsoft Entra ID tenant.
On September 15, 2023, we’ll begin prompting your users who authenticate using SMS and voice methods to set up the Microsoft Authenticator app when they sign in to their work or school account. This change will take place on a rolling basis over six weeks as part of ongoing efforts to improve security
This essentially informs you that people using SMS will be enrolled into a Campaign that by default will be Microsoft managed, This would lead me to believe you will get the option of enabled or disabled, or Microsoft managed.
If you need to check the status of your campaign you will need to login to the azure portal, once here you will need to choose Entra Active Directory, then you will need to choose Security> Authentication Methods> Registration Campaign:
You will then see an option for registration campaign, obviously, you would need to click on this option, that should show you something like this:
If you look at the State - you will notice it is Microsoft managed, which is the expected outcome:
However, you will also notice that you can customize the days you’re allowed to snooze the campaign and you can exclude users or groups, this means it is quite customizable, Obviously, it’s not recommended to stop this campaign because SMS messages can be easily read with your phone locked unless you’ve been able to private Notification features, And someone answering your phone does not necessarily mean it’s the owner - this makes phone calls and SMS messages are very form of authentication, so it is multi factor its technically not 2FA - from a security point of view, you should obviously let this campaign run.
However, if you need to update the campaign to stop it running because you have different plans for your own rollout then this is the place where you can disable it, however, it is not recommended to disable authentication registration without a plan to still enforce it