Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
System-preferred multifactor authentication (MFA) prompts users to sign in by using the most secure method they registered. It's an important security enhancement for users who authenticate by using telecom transports. Administrators can enable system-preferred MFA to improve sign-in security and discourage less secure sign-in methods like Short Message Service (SMS).
For example, if a user registered both SMS and Microsoft Authenticator push notifications as methods for MFA, system-preferred MFA prompts the user to sign in by using the more secure push notification method. The user can still choose to sign in by using another method, but they're first prompted to try the most secure method they registered.
System-preferred MFA is a Microsoft managed setting, which is a tristate policy. The Microsoft managed value of system-preferred MFA is Enabled. If you don't want to enable system-preferred MFA, change the state from Microsoft managed to Disabled, or exclude users and groups from the policy.
After system-preferred MFA is enabled, the authentication system does all the work. Users don't need to set any authentication method as their default because the system always determines and presents the most secure method they registered.
Enable system-preferred MFA in the Microsoft Entra admin center
By default, system-preferred MFA is Microsoft managed and enabled for all users.
Sign in to the Microsoft Entra admin center as at least an Authentication Policy Administrator.
Browse to Entra ID > Authentication methods > Settings.
For System-preferred multifactor authentication, choose whether to explicitly enable or disable the feature, and include or exclude any users. Excluded groups take precedence over include groups.
For example, the following screenshot shows how to make system-preferred MFA explicitly enabled for only the Engineering group.
After you finish making any changes, click Save.
FAQ
How does system-preferred MFA determine the most secure method?
When a user signs in, the authentication process checks which authentication methods are registered for the user. The user is prompted to sign-in with the most secure method according to the following order. The order of authentication methods is dynamic. It's updated as the security landscape changes, and as better authentication methods emerge. Click the link for more information about each method.
- Temporary Access Pass
- Passkey (FIDO2)
- External authentication methods
- Microsoft Authenticator notifications
- Telephony2
2Includes SMS and voice calls.
How does system-preferred MFA affect the NPS extension?
System-preferred MFA doesn't affect users who sign in by using the Network Policy Server (NPS) extension. Those users don't see any change to their sign-in experience.
What happens for users who aren't specified in the Authentication methods policy but enabled in the legacy MFA tenant-wide policy?
The system-preferred MFA also applies for users who are enabled for MFA in the legacy MFA policy.
