In Microsoft infrastructure security, there has been significant development in security protocols over time, with multi-factor authentication playing a major role in security protocols.
The Microsoft Authenticator app is increasingly being used as a security default in Microsoft security protocols. This provides an added layer of security to accounts but also poses a challenge in terms of administrative convenience and flexibility in access control protocols.
This article explains how to disable mandatory Microsoft Authenticator requirements across different Microsoft environments, including Microsoft 365 and Azure Active Directory (now Entra ID), while maintaining control over organisational security.
Why Microsoft Authenticator Becomes Mandatory
Microsoft enforces the Authenticator app primarily through three mechanisms: Security Defaults, Conditional Access Policies, and Authentication Methods Policy. Each of these can require users to register and use the Authenticator app during sign-in.
Security Defaults enable MFA for all users and heavily encourage users to choose Authenticator as the default MFA method. Conditional Access policies provide the option for administrators to enforce MFA for users under particular circumstances, usually favouring app-based MFA. Authentication Methods Policy dictates the methods users are allowed to register for.
If users encounter prompts forcing them to install Microsoft Authenticator, one or more of these configurations is active. Identifying the exact source is essential before attempting to disable it.
Disabling Security Defaults in Microsoft 365
Security Defaults often represent the most common reason behind enforced Authenticator usage, especially in smaller organisations or newly created tenants.
To disable Security Defaults, sign in to the Microsoft Entra admin centre. Navigate to “Identity” and then “Properties.” At the bottom of the page, locate the “Manage Security Defaults” option. Once opened, toggle the setting to “No” and save the changes.
Disabling this feature removes the blanket enforcement of MFA across all users. However, it also eliminates a baseline level of protection. Microsoft introduced Security Defaults to protect organisations that lack customised security configurations. Removing it without replacing it with a structured policy can expose accounts to credential-based attacks.
Adjusting Conditional Access Policies
Conditional Access provides granular control, but it can also enforce Microsoft Authenticator as the preferred or required method.
Access the Microsoft Entra admin centre and navigate to “Protection” followed by “Conditional Access.” Review all active policies, particularly those requiring MFA. Open each relevant policy and inspect the “Grant” section. If “Require authentication strength” or “Require multifactor authentication” is enabled, examine the configured authentication strength.
Authentication strength determines which methods are allowed. Some configurations explicitly require phishing-resistant methods such as Microsoft Authenticator or FIDO2 keys. To relax this requirement, either modify the authentication strength to include SMS or email-based verification or remove the MFA requirement entirely.
Disabling or editing these policies ensures that users are no longer forced to use the Authenticator app while still allowing alternative verification methods.
Modifying Authentication Methods Policy
Even after disabling Security Defaults and adjusting Conditional Access, users may still face prompts to register Microsoft Authenticator. This usually stems from the Authentication Methods Policy.
Navigate to “Protection” and select “Authentication methods.” Within this section, review the available methods such as Microsoft Authenticator, SMS, voice calls, and email OTP. Select “Microsoft Authenticator” and disable it if the organisation does not wish to use it.
Ensure that at least one alternative method remains enabled. For instance, SMS-based authentication or hardware tokens can serve as substitutes. Without an available method, users may be locked out of MFA entirely.
Microsoft also allows administrators to define registration campaigns that encourage or enforce Authenticator registration. If such a campaign is active, disable it to prevent recurring prompts.
Removing Per-User MFA Settings
Legacy MFA settings configured on a per-user basis can also enforce Authenticator registration. These settings often exist in older tenants or migrated environments.
Open the Microsoft 365 admin centre and navigate to “Users,” then “Active users.” Select “Multi-factor authentication” from the top menu. This opens a legacy portal where individual users may have MFA enabled.
If MFA is set to “Enabled” or “Enforced,” users will be required to complete MFA registration, often with Authenticator as the default option. Change the status to “Disabled” for users who should not be subject to MFA requirements.
This method should be used carefully, as it removes MFA protection entirely for those users.
Managing Combined Registration Experience
Microsoft uses a combined security information registration process that pushes users towards the Authenticator app during setup. Even when multiple methods are available, the interface often prioritises app-based authentication.
To modify this, go to the “Authentication methods” section and locate “Registration campaign.” Disable any enforced campaign targeting users. Then, review the “User registration details” settings to ensure that alternative methods, such as phone numbers, are sufficient for MFA setup.
Providing clear instructions to users about selecting alternative methods during registration can also reduce reliance on the Authenticator app.
Considering Alternative Authentication Methods
Disabling Microsoft Authenticator does not mean eliminating MFA entirely. Organisations can adopt alternative methods that align better with their operational needs.
SMS-based authentication remains widely used, although it offers lower security compared to app-based verification. Voice call verification provides a similar level of protection. Hardware tokens, including OATH tokens or FIDO2 security keys, offer stronger security without requiring mobile applications.
Each method carries trade-offs between usability and security. For instance, SMS-based MFA can be vulnerable to SIM swap attacks, whereas hardware keys require additional investment and management.
Security Implications and Best Practices
Removing mandatory Microsoft Authenticator requirements should never occur in isolation. MFA significantly reduces the risk of account compromise, with studies showing that it can block over 99.9% of automated attacks.
Administrators should replace enforced Authenticator usage with a balanced authentication strategy. Conditional Access policies can still require MFA while allowing multiple verification methods. Risk-based policies can prompt MFA only when suspicious activity occurs, reducing friction for legitimate users.
Regular audits of authentication settings ensure that no unintended enforcement remains active. Monitoring sign-in logs can also reveal whether users rely on weaker methods and whether adjustments are necessary.
Common Issues and Troubleshooting
Users may continue receiving prompts for Microsoft Authenticator even after changes. This often results from cached sessions or incomplete policy updates. Signing out of all sessions and clearing browser data can resolve such issues.
Propagation delays in Microsoft Entra can also cause temporary inconsistencies. Changes to policies may take several minutes to apply across all services.
If users remain blocked, reviewing sign-in logs within the Entra admin centre provides clarity. These logs identify which policy or setting triggered the authentication requirement, allowing targeted adjustments.
Conclusion
Disabling mandatory Microsoft Authenticator requires a structured approach that addresses multiple layers of Microsoft’s security framework. Security Defaults, Conditional Access, Authentication Methods Policy, and legacy MFA settings all play a role in enforcing app-based authentication. Administrators must identify and adjust each component carefully to remove the requirement without weakening overall security. A well-designed authentication strategy that includes alternative MFA methods ensures both flexibility and protection, allowing organisations to maintain secure access while accommodating diverse user needs.
