How to Set Up SMS-Based Authentication for Microsoft 365 and Azure Active Directory Users
In a recent post on Petri, I explained how to set up passwordless sign-in using the Microsoft Authenticator app for Microsoft 365 and Azure Active Directory (AD) users. When passwordless sign-in is enabled in Azure AD, instead of entering a password, users can confirm their identity using the Microsoft Authenticator app, a FIDO2 security key, or by SMS message.
In this article, I will show you how to configure passwordless sign-in by SMS. It’s worth remembering that SMS-based authentication is currently in preview and that it shouldn’t be used in production environments until it reaches general availability. There are also some limitations during preview:
- SMS-based authentication isn’t compatible with Azure Multifactor Authentication.
- SMS-based authentication isn’t compatible with native Office applications, with the exception of Microsoft Teams.
- Microsoft doesn’t recommend SMS-based authentication for use with B2B accounts.
- Federated users only authenticate in the cloud.
For additional information on passwordless sign-in, check out Understanding Windows 10 and Microsoft 365 Passwordless Sign-In on Petri.
Pre-requisites for SMS-based sign-in
Before a user can sign-in using SMS, they must be assigned one of the following licenses:
- Azure AD Premium P1 or P2
- Microsoft 365 (M365) F1 or F3
- Enterprise Mobility + Security (EMS) E3 or E5 or Microsoft 365 (M365) E3 or E5
Set up SMS-based sign-in for Azure AD and Microsoft 365 users
The first step you need to perform is to enable SMS-based sign-in for users in your Azure AD tenant.
- Log in to Azure AD here using a global administrator account.
- Click Azure Active Directory under Favorites on the left of the portal window.
- In the Azure AD pane, scroll down the list of options on the left, and click Security under Manage.
- In the Security pane, click Authentication methods below Manage in the list of options on the left.
- Click Text message in the list of methods.
- In the Settings pane at the bottom of the portal window, set ENABLE to Yes and TARGET to All users.
Alternatively, you can set TARGET to Select users and enable passwordless sign-in for a group instead of all users in the directory.
- Once you’re done, click Save.
Registering and enabling a phone number for sign-in
Users must register at least one phone number as an authentication method before they can use SMS-based sign-in. If users already have a phone number registered for use with multifactor authenticator, they won’t need to reregister the number to use it with SMS-based sign-in.
If users need to add a phone number as an authentication method, they can do it here on the My Sign-ins page. Users will need to click Security info in the list of options on the left, click + Add method on the Security info screen, and then follow the on-screen instructions. Users can also choose ‘Phone – text’ as the default sign-in method.
Enabling a phone number for sign-in
If a user already had a phone number registered before SMS sign-in was enabled for the tenant, they will need to click the prompt on the My Sign-ins page to enable the number for phone sign-in.
Alternatively, Azure AD admins can add and enable phone numbers for users in the Azure administration portal.
Perform a SMS-based sign-in
Finally, let’s sign in using an account that has a registered phone number enabled for sign-in. Note that if multifactor authentication is enabled for the account, the user will not be able to sign in by SMS because text message is not a supported first factor.
- In a web browser window, log in to a Microsoft 365 app or service using a phone number that is registered and enabled for sign-in. Enter the phone number without the country code and then click Next.
- If the number has been used before to sign in, you may not be required to enter the country code in the next dialog. Otherwise, in the Sign in dialog, select the country code from the dropdown menu and then click Next.
- In the Enter code dialog, type the code that you should have received by SMS to the registered phone number, and click Sign in.
And that is it! You should now be signed in to Microsoft 365 or Azure AD.