This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(227.2, 20%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJA%3C/text%3E%3C/svg%3E)
Hi,
I don't see any obvious way to be able to use the Microsoft Authenticator app for MFA. Security defaults does not force MFA registration.
The Microsoft documentation states to use Conditional Access - so disabled Security Defaults and created an MFA policy to force MFA for all users.
That works but it seems only Email OTP works. I need a way to enable Microsoft Authenticator app.
Kind regards,
Jonathon
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(217.60000000000002, 24%, 31%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAA%3C/text%3E%3C/svg%3E)
Hello
Thanks for your question.
If you want to enforce MFA app usage you can leverage, Authentication policies here:
How To: Configure the multifactor authentication registration policy
Emergency access or break-glass accounts to prevent tenant-wide account lockout.
Service accounts and service principals, such as the Microsoft Entra Connect Sync Account.
Note that: this is a feature of Identity Protection which requires a P2 license
You can also configure an MFA registration Campaign instead to force users to sign up for the app, if you have only P1. See: https://zcusa.951200.xyz/en-us/entra/identity/authentication/how-to-mfa-registration-campaign
Also see:
Common Conditional Access policy: Require MFA for all users
You can mark it 'Accept Answer' and 'Upvote' if this helped you
Regards,
Abiola
Hi.
Everytime I try and Enable policy enforcement the captured image below is shown.
Hi Abiola,
Unfortunately this doesn't work, the policy is already configured for "All users", however, Policy enforcement is Disabled. Everytime I try and Enable Policy enforcment the portal provides the error below.
Please note this is an External ID tenant. I don't think P1/P2 works, however, the MFA registration campaign also doesn't work.
Although under Protection > Authentication methods > Policies the Microsoft Authenticator is enabled, targeting All users it won't trigger. Only the Email OTP triggers and if I disable Email OTP then users can't login because it doesn't fall back to the other methods enabled (Microsoft Authenticator and Third-party software OAUTH tokens are enabled and targeting All users).
Kind regards,
Jonathon
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(214.4, 81%, 30%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMT%3C/text%3E%3C/svg%3E)
Sometimes the "unable to save Microsoft Entra ID multifactor authentication registration policy" error occurs due to cached data. The policy may appear as disabled in the portal, even though it is actually already enabled. You can validate this by logging in from a private browser session.
Another consideration is that you cannot activate the sign in risk policy more than once, using different log in credentials from different domains. So if you have done this, you need to log in with the original log in credentials to save the policy.
To use this feature, you need to be logged in as a Global Admin and have a P2 license (as called out by akinbade). Here are some additional troubleshooting steps to try if you still face the error:
If these steps do not work, it would probably be worthwhile to create a support ticket to further investigate your issue. I tried reproducing the issue in my tenant and could not.
If the information helped you, please Accept the answer. This will help us and improve searchability for others in the community who may be researching similar questions. Otherwise let me know if you still face this issue.
Yes I've raised a support ticket, waiting to hear back.
This is an External ID tenant, so I don't think P1/P2 is an issue or requirement. Everything else is as you described and all users are local users in the directory, no other IDP is allowed to be used to register an account in this External ID tenant.
You mentioned you tried reproducing this in your tenant, what steps did you use to create your External ID tenant?
It's possible that because I created mine during the preview that something isn't right since GA but I'm also keen to see if you've made changes that I haven't made (in case I've missed something).
Kind regards,
Jonathon
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(41.6, 35%, 14%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EBM%3C/text%3E%3C/svg%3E)
Hi Jonathan, I'm curious if you were able to get Microsoft Authenticator working in an Entra External ID tenant, and if so, do you recall what you needed specifically?