355 votes28 comments · Azure Active Directory » Multi-factor Authentication · Flag idea as inappropriate… · Admin →
For requiring additional factors with Windows Hello for Business, please see – https://docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/feature-multifactor-unlock
For why PIN is better than a password, please see https://docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-why-pin-is-better-than-password
For Authenticator app sign in to Azure AD, please see https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-authentication-phone-sign-in
As always, other feedback is welcome
We are looking to add additional MFA options for Azure AD B2C in the next few months. As part of the investigation, we want to learn more about your requirements. Email your feedback to email@example.com.
When you say “support for Microsoft Authenticator”, which feature are you referring to?
1. The ability to see the codes in the authenticator app
2. The ability to receive push notifications for MFA
If both, which do you prefer more?
Again, please email your feedback to firstname.lastname@example.org. Feel free to include more details about your scenarios/requirements!
especially with custom policies
really need this
this feature is in public preview now. https://docs.microsoft.com/en-us/graph/api/resources/trustframeworkpolicy?view=graph-rest-beta.
We are working on managing policy keys programmatically.
We have restarted work on this feature. However, we don’t have a date for public preview yet.
838 votes176 comments · Azure Active Directory » Multi-factor Authentication · Flag idea as inappropriate… · Admin →
This feature is now on the roadmap. The MFA team is planning to adjust admin roles or create a new role that will allow delegation of MFA registration and credentials to an admin role.
You can script this without the invitation.
We’re continuing to investigate options for adding this support. There are technical challenges to overcome in order to make this happen. We thank you for all your valuable comments so far, and welcome any additional feedback you have on what are the most important use cases involved with these scenarios.
We are working to enable this feature. We should have another update by Dec 2018.
58 votes9 comments · Azure Active Directory » Multi-factor Authentication · Flag idea as inappropriate… · Admin →
There is planned work to address this scenario. We don’t feel that backup codes provide a good security option as they’re often misplaced. Also, it’s hard to have users print them out and have them when they’re needed. Instead, we are looking at a time-limited passcode that could be generated either by the user (just in time when it’s needed) or by an admin (for example a helpdesk agent). The organization admin would have control over when a user could generate these codes. The code can be used for a limited time, then it will no longer be valid.
Note – for areas with limited cellphone connectivity (or roaming charges), the code generated in the authenticator app will allow MFA login. The time-limited passcode is meant to stand in if the user temporarily forgot/lost their phone.
or just allow support the enable a one time bypass.
This is currently possible. Could you please elaborate more on what you’re looking to achieve?
If you mark a user as an User Administrator, you can control all fields for the users in the directory.