Last Updated on August 10, 2024 by Arnav Sharma
Users are prompted to log in with the most secure method they have registered with the system, thanks to multifactor authentication (MFA). System administrators can boost login security by enabling system-preferred MFA and discouraging using less secure sign-in methods, such as SMS.
System-preferred MFA will force the user to sign in using the more secure push notification technique, such as Microsoft Authenticator if the user has registered both SMS and Microsoft Authenticator as options for MFA. Users are requested to sign in using their most secure registration mode before being allowed to switch to another method if necessary.
System-preferred Microsoft’s Managed Multi-Factor Authentication (MFA) is a three-tiered security strategy. The preview mode is always off by default. You may turn it on during the preview for everyone or just a select few by explicitly setting the Microsoft-managed state to Enabled. Microsoft will switch the controlled status of system-preferred MFA to Enabled when it becomes generally available.
The authentication system takes care of everything when system-preferred MFA has been activated. Because the system automatically finds and provides the most secure method the user registers, users do not need to choose any authentication method as the default.
The need to stay ahead of bad actors in today’s rapidly shifting threat landscape cannot be overstated. That being said:
- Since its introduction in April 2023, Microsoft has controlled (Disabled) this function by default.
- Afterwards, the capability will be made available as Microsoft-managed (Enabled) for all tenants, with admins still having the option to turn it off if necessary.
- At last, Microsoft will take over management of the feature and set it to the “Enabled” state across all tenants.
More specific timetables will be released in June to give businesses enough time to prepare for the rollout.
Microsoft recommends you utilise the rollout controls and implement this new functionality quickly to protect your business and its customers. You can now easily enforce the policy that tenants must prioritise using the most secure authentication methods.
FAQ:
Q: What is system-preferred multi-factor authentication (MFA) in Microsoft Entra?
System-preferred multifactor authentication (MFA) in Microsoft Entra is an authentication process where Azure AD evaluates all the authentication methods registered by a user and prompts the user to sign in by using the most secure method they’ve registered and the method that’s enabled by admin policy. This ensures that the end users are using the strongest authentication method available.
Q: How does Microsoft Entra enable system-preferred MFA by default?
Microsoft Entra enables system-preferred MFA by default to ensure users are using the strongest authentication methods. This feature is managed through the Microsoft Entra admin center, where administrators can enforce system-preferred authentication methods, such as the Microsoft Authenticator app, to increase security.
Q: What authentication methods are prioritized in system-preferred MFA?
In system-preferred MFA, methods such as Microsoft Authenticator push notifications, certificate-based authentication, and FIDO2 security keys on mobile devices are prioritized as they provide the strongest authentication available. Azure AD evaluates these methods to prompt users to use the most secure method they’ve registered.
Q: What change will end users see when system-preferred MFA is enabled?
When system-preferred MFA is enabled, end users will see a change in their sign-in experience, as they will be prompted to use the most secure method they’ve registered, such as the Microsoft Authenticator app or security keys, depending on the admin policy and the methods available.
Q: How can admins enforce system-preferred MFA using the Microsoft Entra admin center?
Admins can enforce system-preferred MFA using the Microsoft Entra admin center by configuring authentication policies that prioritize the strongest authentication methods. This can include setting the Microsoft Authenticator app as the default method, and ensuring that users are prompted to sign in using the most secure method available.
Q: What happens if the preferred MFA method is unavailable?
If the preferred MFA method, such as the Microsoft Authenticator app, is unavailable, the system will prompt the user to use another secure method they’ve registered, ensuring that the authentication process remains secure even if one method is temporarily inaccessible.
Q: What is Microsoft’s approach to evolving the authentication landscape?
Microsoft introduced system-preferred MFA as part of its ongoing efforts to strengthen the authentication landscape. This approach ensures that as security landscape changes, users are always prompted to use the most secure methods available, reducing reliance on legacy MFA methods and improving overall security.
Q: What is the role of Azure Active Directory in system-preferred MFA?
Azure Active Directory plays a key role in system-preferred MFA by evaluating the authentication methods registered by users and enforcing the use of the strongest method available. This helps maintain a secure authentication process across Microsoft 365 and other services integrated with Azure AD.
Q: How can you enable system-preferred MFA using Microsoft 365?
To enable system-preferred MFA using Azure AD system-preferred settings, you need to access the Azure portal where the feature is enabled by default. Microsoft explained that this approach allows users to try the most secure methodthey have registered, such as multi-factor authentication methods like mobile devices and certificate-based authentication. When enabled mfa is configured, Microsoft will turn the default authentication method to the Microsoft Authenticator app.
Q: What happens when the Microsoft Authenticator app is used as the default authentication method?
When the Microsoft Authenticator app is set as the default authentication method for Microsoft, users receive a push notification method that prompts them to approve the sign-in, ensuring a secure MFA process. Microsoft managed this to be enabled by default as part of their stronger authentication methods strategy, so users won’t see any change to their sign-in experience unless they decide to use a different MFA method or disable the feature entirely.
Q: What are the options if users prefer a different MFA method instead of the Microsoft Authenticator app?
If users prefer using another method instead of the Microsoft Authenticator app, they can select a different MFAoption within the authentication method settings in the Azure portal. Microsoft graph allows administrators to manage these settings, ensuring the system prompts the user to choose a secure method they registered. If needed, users can even disable the feature for the Microsoft mfa and opt for sms or other methods supported by the network policy server.
Q: How does the Azure AD system-preferred MFA method impact mobile devices?
When system-preferred MFA is enabled, users with mobile devices and certificate-based authentication will benefit from the Microsoft Authenticator app being the primary method. This change provides a stronger authentication method by utilizing secure MFA practices, such as the push notification method. Microsoft aims for users to see any change only as an improvement in security, with authentication enabled for a smoother, more secure sign-in experience.