Require Authenticator Option within Combined MFA/SSPR Registration
The new combined MFA/SSPR registration experience is a step forward, but it does not allow configuring a scenario where you want one factor that is Authenticator (push and/or TOTP token) or two factors with at least one of them being Authenticator. Currently when configuring the supported methods, it does not allow Authenticator when the policy is to require a single method, and when requiring two methods, it requires that two other non Authenticator options are enabled (e.g. sms/phone) which means the user can bypass Authenticator.
Thomas T commented
+1, having MFA as an option makes no real sense unless we can enforce that MFA have to be one of the required methods when SSPR is configured with requirement of 2 methods.
Taufeeq de Villiers commented
Agreed with all above, this has literally stopped the roll out of this feature in my company.