Prevent users from changing authentication methods and authentication phone number (mfasetup)
We would need the following features:
• The possibility to assign different auth methods based on groups for MFA.
• A way to prevent users from changing the authentication phone number. IT department should be able to predefine one authentication phone number and the user should not be able to change the number or setup an alternate phone number by himself.
• One way to control the access to MFA setup using Conditional Access Policies.
We need this. Users should not be able to change 2-factor phone number, or use an unapproved phone for MFA.
If the user can change the 2-factor phone number, the whole thing is pointless. A user just needs to access an active session and they can change the number and hijack the account.
Joseph Potenza commented
Looking for an option to lock down users from changing their MFA phone number. This is problematic as it creates a security hole. I would like to have what is in their Azure AD stick related to their authentication number.
Greg Tate commented
I see a work around using scripts but this isn't a good solution.