There should be an option to disable Office Phone as a verification option
On the MFA settings portal, there is no way to separate office phone from cell phone when choosing the verification options that will be presented to users. The only option is "Phone call". However, when users go into the verification options on their user profile, they can choose to do MFA via "Office phone" or "Mobile phone".
There needs to be a way to disable Office Phone as an option so that users cannot select it. It is not secure as a verification option.
I agree also. This is causing a lot of support tickets due to the data being sent doesn't include a country code and the user can't change it.
Michael Ward commented
Absolutely agree. Seems odd have a second factor auth that someone physically in the office would have easy access to.
I agree. You should be able to disable office phone for multiple reasons.
1. We are using MFA for external logins so why would we want a call to go to their office phone that they don't have access to?
2. Most of our users don't have an office phone so it just adds confusion.
3. The format required to actually get the office phone to work when syncing from AD is completely different from the other phone fields in AD. It says it requires a country code if not formatted correctly further confusing users. There's also no instructions as to the required format to make it work if we wanted to.
4. As Rich stated, it's insecure because any number of people could answer the office phone and confirm the request.