I wish I had seen this two weeks ago. As of Friday, I know far more about MFA on Azure and Exchange than I ever wanted to. My wife had exactly the same problem described in the article, yet I did not, despite the two accounts being set up on the same domain at pretty much the same time.

After going round loops of enter user name, enter password, your account needs more verification, use Authenticator, can’t use Authenticator use an alternative, enter the code from Authenticator, … I finally got the answer you found.

Here’s a question, though, how can MFA be set to use Authenticator when the account has never been set up on Authenticator? Never got an answer to that (and hopefully now I don’t need to).

If only you’d published this a week ago I would have a few less gray hairs at the moment. My client had been hosting his Website with GoDaddy for many years and they used their own internal email system, up until recently when some genius decided that they didn’t want to mess with it anymore and compelled him to go to Office 365 for his domain email. And on top of that it “backfed” through his Gmail account with his unique business name and email address. After a total of about 8 hours and multiple GoDaddy tech support sessions I finally managed to educate myself just enough to pull the irons out of the fire so he could once again start sending & receiving his company email via Gmail and through his GoDaddy domain name. What a bloody nightmare in the meantime though! I literally had to self-educate myself gleaning what little hints I could manage along the way from the GoDaddy tech support people, who themselves did not even have a firm grasp about how to fix the problem. It was 1 of the most frustrating experiences I’ve ever had, made more maddening by the fact that this guy’s email had always worked flawlessly in the past, when GoDaddy handled the email administration and didn’t try to pawn it off to Microsoft to take over the chores. What a gigantic pain-in-the-neck! What goofball comes up with these things, anyway?

Great article will save it for future use.

My love for microsoft’s antics grows thinner by the day

Will, Consider learning how to reduce the number of prompts while maintaining MFA. You can get them down to near zero for people that are rather stationary. For those that are more mobile, every couple of weeks. Even with multiple accounts in multiple domains. No one loves MFA more than they love their password but in todays world there’s no security without it.

Great article! Thanks for the clear explanation of how to find this. I’ve been wrestling with this myself but had not yet found the answer. Now I have it! And I, too, would like to know how Authenticator gets involved.

“multi-factor authentication…can be extremely annoying for frequently used systems and services, such as email.”

Yes, using multi-factor authentication (MFA/2FA), can be a major pain!

However, for any email account that can be accessed from the web, I don’t see any other secure choice, than to use MFA. The reason for this, is most web passwords can be reset using your email account!! Once your email account is breached, most associated web accounts can have their passwords reset.

However, there are workarounds to keep web based mail secure and avoid frequent MFA prompts. One technique sometimes supported is “device remembered”. You only have to handle the MFA prompt once and subsequently, that device is remembered. This works securely when the device itself is secured through other means.

Will. A couple of things:

1. I do not do consulting work anymore for any client that refuses to do MFA. It’s a condition of my work. Why? I could be liable as a consultant. It’s easier to say, “Your bank makes you do it, and so do I. It’s your data but my liability.” See more on this at the bottom of this thread below.
2. Your issues with the Microsoft personal account being different MFA settings are valid, but to be clear, there is a very clear screen in the Microsoft Consumer account settings. It seems to me, as a home admin as well, to be quite easy to use.
   1. 
3. In the business admin settings I don’t see what you see in User admin settings. This is the Admin screen as it looks to me. MFA is SECOND in the listing.

Screen 1

Also, I do not have to use MFA to log into outlook every time I use it. It remembers the credentials. I only do it the first time. BUT the Admin can make the MFA credentials need revalidation on the timeframe of their choice. Look at the AD admin panel for that.

Next: Here is the next screen I see, cut down to the key elements: enforced or not and managing settings.

Screen 2

and you then have these choices:

Screen 3

This is what you can do from the USER ADMIN screens.

If I login into Azure AD  User settings I see these options.

This takes you to the same (?) page you would get into in the second screen above.

If I Don’t go to that screen I can click on any user and get their Profile Page (too complex to show here).

But: down that screen is a choice on Authentication Methods

And once there, you can have the user re-register. You don’t have to wade through all this to re-register, just login as admin, go to the Azure AD admin panel, go to users and change these settings to re-register the person. You can also turn MFA on and off there. Not that hard for an admin.

As to your Security Defaults issue. Here’s MSFT official docs. I agree that your client might not want to do MFA, but remind them of the following from below:

More than 99.9% of these identity-related attacks are stopped by using multi-factor authentication (MFA) and blocking legacy authentication.

Microsoft is making security defaults available to everyone, because managing security can be difficult. Identity-related attacks like password spray, replay, and phishing are common in today’s environment. More than 99.9% of these identity-related attacks are stopped by using multi-factor authentication (MFA) and blocking legacy authentication. The goal is to ensure that all organizations have at least a basic level of security enabled at no extra cost.

Security defaults make it easier to help protect your organization from these identity-related attacks with preconfigured security settings:

• Requiring all users to register for Azure AD Multi-Factor Authentication.
• Requiring administrators to do multi-factor authentication.
• Requiring users to do multi-factor authentication when necessary.
• Blocking legacy authentication protocols.
• Protecting privileged activities like access to the Azure portal.

Now I can explain this rats nest to my fellow board members..

Knut (Norway)
Part time admin for 10 users EOP now Plan 3 (until next plan…)

I don’t like Multi Factor Authentication for any of my accounts.  My preference is to have a different User ID for every account and a unique password for each account.  If no one knows my User ID, they don’t know what account to attempt to access.  I consider this to be my own form of MFA. What interferes with this approach is too many accounts force me to use my email address as my User ID.  I interpret this as laziness on the part of whoever designed the access to that account.  The email address should simply be stored in the database for the account and not used as the User ID, because the email address, by necessity, is known publicly.  None of my financial accounts use my email address as the User ID.

anonymous wrote:

force me to use my email address as my User ID

That with high probability has been harvested already.

MFA is a mutha on it’s own. But for them to bury it so deep in the settings… come ON!

Hopefully they’ll improve the interface. (OK, stop laughing, but really.)

What I’d worry about is that  ‘enable security defaults.’ Who knows what other customizations you’ve made – intentionally or otherwise, and that sounds like you’re resetting to the original. Scary.

I’m behind in my newsletters. Please forgive the necro, but I felt i had to chime in regarding this article.

I completely agree that MS handles M365 MFA incredibly poorly in many ways. Maybe in every way. I strongly encourage 3rd party MFA providers like Duo or Okta. Tho these are elephants of their own, they offer incredible granularity in how and when MFA prompts are presented and received.

For example, AzureAD MFA does not allow disabling authentication methods for some users but not others. For example, it’s not currently possible to restrict phone-based auth methods (SMS/call) to an individual or group- it’s all or nothing. Since SMS is widely understood as no longer an acceptable form of MFA, this means turning it off has an impact on users that do not have smart phones. Who doesn’t have a smart phone in 2022, one might ask? While only a small % of our corporate staff don’t, that goes way up for our manufacturing and warehousing sites.

And the conditional access controls of AzureAD MFA are rather limited, too, but at least they exist.

Finally, to the point of my post-

MFA is no longer optional for businesses (i’d argue the same for personal, too). It should be considered absolutely mandatory for all businesses. Once user onboarding is behind you, well-crafted MFA policies will be invisible to most employees most of the time.

Is it simple to implement for smaller orgs? No, but the capability exists. And providing some personal user onboarding assistance may be required. Even basic MFA polices don’t have to be invasive- you can determine how frequently to be prompted and how long the authentication token lasts (similar to a cookie).

I believe Duo MFA is free for up to 10 users (with limitations). And Azure AD MFA and paid Duo and Okta subscriptions, you have conditional access policies to ease MFA for more predictable, generally safer login circumstances while scrutinizing logins considered riskier.

• Work from the same corporate site every day?
  • Prompted for MFA once a week (or 2, or 4!)
• Work from home every day?
  • Prompted once every 24 hours
• Work from random remote sites?
  • Are you in an area (country/state/region) where your org has a footprint? Prompted every 24 hours
  • Are you traveling abroad, say to a customer’s site, for which your org does not have a footprint? Prompted with every login.
• Have users without smart phones?
  • Enable phone call and email authentication methods
• Restrict logins to or from certain areas.
  • Only have on-site employees that never work off-site? Restrict logins to site IP addresses.
  • Worried about phishing attacks or other malicious login attempts from Russia, Iran, or China? Block entire countries or regions by geolocation.

And how does the prompt work? A simple “was this you? tap Yes to confirm” mobile notification. 1-2 taps max, most of the time. Barely an inconvenience. If an 80 year old CEO of a manufacturing company, openly hostile to technology, can do it without any issues or complaints, IMO so can everyone else.

Oh and by the way- good look renewing your cybersecurity insurance policy without MFA! Exactly 100% of underwriters require MFA . Not having it is called a non-starter!

Personally, i think it’s ethically wrong to provide IT services to an organization without requiring them to use MFA for at least their email platform, and wouldn’t accept a client that was so opposed to it. I know the author’s circumstance isn’t necessarily that straight-forward since it was an accident. You certainly want to plan this sort of thing and receive buy-in from the person signing your checks or invoices. I would, though, make it a condition for me to continue providing them with IT services.