Teams Real Simple with Pictures: Implementing System Preferred MFA

This blog is part of a series on Teams. For more articles, check back often

Written: 30/07/2023 | Updated: N/A

Ok time is of essence! There is a ton on. Corp wise. Community wise. You may have seen it on social this week that Teams Nation is coming back. Yes, Vesku and I were asked many many times. And yes, we decided to get onboard that crazy train again. But whilst it may seem like an eon away given it’s February 2024 and a million things will happen between now and then; you’ll have to believe me when I say that I’ll soon be sitting here the weekend prior doing last minute speaker checks. So this week is a real quick one. And it’s really following on from the blogs on Entra that I have covered the past few weeks. This is looking at System Preferred MFA in the context of Teams. So what is it? By definition, ‘System-preferred multifactor authentication (SPMFA) prompts users to sign in using the most secure method they registered’. In other words, if you have registered Authenticator and SMS as two methods to sign-in using MFA then SPMFA is going to prioritise the more secure method which is Authenticator over SMS. It doesn’t stop the choice of the other, but it does set precedence when signing into an app such as Teams or into the Microsoft 365 portal. Why is this important? Two reasons. The first is as described – it sets the most secure sign in method and that’s ultimately what we as admins want to see for our users in Teams. The second is that by setting precedence, this could facilitate user behavioural change over time, with a view to removing less secure registered methods in the future. Now this feature should be set to enabled by default in time, but today in my Ring 4 test tenant it’s set to Microsoft Managed. Could be lit up. May not. But it’s not enabled. So here’s a twist. Lets enable the methods for Authenticator and SMS, then enrol to MFA, then enable System-preferred MFA by default. Just for laughs, but also because I have a nice fresh tenant after my old one went into grace 😀

Let’s go.

This blog will cover:

• Enabling Authenticator and SMS MFA methods
• Adding Security Info
• Enabling MFA
• Enabling System-preferred MFA
• Logging into Teams
• FAQ

Note this blog will have abridged steps which will assume some experience with Teams, the Microsoft 365 Admin Centre and Microsoft Entra Admin Centre. All blogs will use the new Teams Desktop Client 2.1+ where possible and applicable.

Prerequisites

• Global Administrator for setup, or role which permits working with Entra ID
• Entra ID Free
• Microsoft Teams for setup and testing

ENABLING AUTHENTICATOR AND SMS MFA METHODS
So we can illustrate the use case for Sytem-prefered MFA, and because the tenant is new we need to go and enable them

1.) Login to https://login.microsoftonline.com as the admin and then, from the left navigation, select Admin

2.) In the Microsoft 365 admin portal from the left navigation select Identity

3.) In the Microsoft Entra admin portal from the left navigation select Protection then Authentication Methods

4.) Here you will see a list of authenication methods, where only Email OTP is enabled by default. Select Microsoft Authenticator

5.) Swipe Enable to On and whether the mode is Passwordless or Push then select Save. You also have the option here to configure the settings including showing the application name in passwordless notifications and geographic location. In this example all have been enabled.

6.) Authenticator has now been configured alongside Email OTP. Select SMS

7.) Swipe Enable to On then select Save

Our first stage is complete. We now have three authentication methods – Email OTP, SMS and Authenticator ready to go.

ADDING SECURITY INFO
Now that the authentication methods have been set, let’s pivot to the user end and get them configured prior to switching MFA on.

1.) Login to https://myaccount.microsoft.com as the user and then on Security Info select Update Info

2.) Select Add Sign-in method

3.) Select Email

4.) Select Add

5.) Add a backup email address (not your corp address) and select Add

6.) Enter the code sent to that email address and select Next

7.) This is now added as a sign-in method method. Repeat the process for Phone and Authenticator. Phone will text a code to the device to verify the number provided which should be added and validated in the same way as email. With Authenticator you will be required to download the Authenticator app from the Apple Store or Android Store depending on your device. You then use the Authenticator app to scan the QR code provided. This is also an opportunity for the end user to enable passwordless as opposed to push.

The second stage is now complete. The user is configured with all three sign-in methods email, phone and Microsoft Authenticator ready for MFA to be switched on by the admin.

Note that whilst the user can at this point set the default sign-in method (as shown above) they do not need to, because System-preferred MFA will be enabled, and Authenticator being the strongest method will become the default and take precedence when the user signs into Teams, or another Microsoft 365 app or service.

ENABLING MFA
Authentication methods have been enabled by the admin. The end user has set their sign in methods. now time for the admin to enable MFA. Of course, this could be done with Conditional Access to enforce MFA, however for speed of time in this blog, I will use per-user MFA.

1.) As the admin, in the Microsoft Entra admin portal, select Identity then Users then All Users and finally select Per User MFA.

2.) Select the End User and then Enable

3.) Select Enable multi-factor authorisation

The third stage is now complete. The user is now enabled for MFA so all that is left is to now go on and set System-preferred MFA

ENABLING SYSTEM-PREFERRED MFA
We have finally come down to it. Authentication methods are enabled. End User sign-in methods configured and MFA itself enabled on the end user. Time for the admin to now enable System-preferred MFA

1.) In the Microsoft Entra admin portal from the left navigation select Protection then Authentication Methods

2.) Select Settings

3.) For System-Preferred MFA set the state to Enabled (and whether this is for all users or some users (E.g., Groups) and then select Save

Our job is done. We have enabled the authentication methods, configured the user for sign-in, enabled MFA and then enabled System-Preferred MFA. In the three that we have set, their precedence will be as follows:

• 1. Authenticator push notifications
• 2. Email OTP
• 3. SMS

LOGGING INTO TEAMS
Now we can see the fruit of our labours. Let’s log into The new Teams 2.1 client

MFA is triggered after providing credentials, with authenticator taking precedence

But doesn’t rule out the options box for the other methods, leaving the admin to disable them at a future date, and the user permitted to use those methods should they really want to.

FAQ

Q.) Where can I read more on this subject?
A.) https://learn.microsoft.com/en-gb/azure/active-directory/authentication/concept-system-preferred-multifactor-authentication

Q.) Does Microsoft have a definitive precedence list for authentication methods?
A.) Yes, in the document above

Q.) Will this really change user behaviour?
A.) Many organisations are using authenticator already and so, in the example above using authenticator and SMS, this will not have an immediate benefit, however there are more methods which Entra ID consider more secure than Authenticator push notifications including Temporary Access Passes and FIDO2 keys,and the point is that the prompt is always for the most secure sign-in method, so if the org is transitioning to use FIDO keys this would be the prompt over push notifications. The point is where we can, we should always look to sign in with the most secure method, however we may need the other way for emergencies or exceptional circumstances.