Microsoft 365

How to Set Up SMS-Based Authentication for Microsoft 365 and Azure Active Directory Users

In a recent post on Petri, I explained how to set up passwordless sign-in using the Microsoft Authenticator app for Microsoft 365 and Azure Active Directory (AD) users. When passwordless sign-in is enabled in Azure AD, instead of entering a password, users can confirm their identity using the Microsoft Authenticator app, a FIDO2 security key, or by SMS message.

In this article, I will show you how to configure passwordless sign-in by SMS. It’s worth remembering that SMS-based authentication is currently in preview and that it shouldn’t be used in production environments until it reaches general availability. There are also some limitations during preview:

  • SMS-based authentication isn’t compatible with Azure Multifactor Authentication.
  • SMS-based authentication isn’t compatible with native Office applications, with the exception of Microsoft Teams.
  • Microsoft doesn’t recommend SMS-based authentication for use with B2B accounts.
  • Federated users only authenticate in the cloud.

For additional information on passwordless sign-in, check out Understanding Windows 10 and Microsoft 365 Passwordless Sign-In on Petri.

Pre-requisites for SMS-based sign-in

Before a user can sign-in using SMS, they must be assigned one of the following licenses:

Sponsored Content

Passwords Haven’t Disappeared Yet

123456. Qwerty. Iloveyou. No, these are not exercises for people who are brand new to typing. Shockingly, they are among the most common passwords that end users choose in 2021. Research has found that the average business user must manually type out, or copy/paste, the credentials to 154 websites per month. We repeatedly got one question that surprised us: “Why would I ever trust a third party with control of my network?

  • Azure AD Premium P1 or P2
  • Microsoft 365 (M365) F1 or F3
  • Enterprise Mobility + Security (EMS) E3 or E5 or Microsoft 365 (M365) E3 or E5

Set up SMS-based sign-in for Azure AD and Microsoft 365 users

The first step you need to perform is to enable SMS-based sign-in for users in your Azure AD tenant.

  • Log in to Azure AD here using a global administrator account.
  • Click Azure Active Directory under Favorites on the left of the portal window.
  • In the Azure AD pane, scroll down the list of options on the left, and click Security under Manage.
Image #1 Expand
How to Set Up SMS-Based Authentication for Microsoft 365 and Azure Active Directory Users (Image Credit: Russell Smith)

 

  • In the Security pane, click Authentication methods below Manage in the list of options on the left.
  • Click Text message in the list of methods.
  • In the Settings pane at the bottom of the portal window, set ENABLE to Yes and TARGET to All users.

Alternatively, you can set TARGET to Select users and enable passwordless sign-in for a group instead of all users in the directory.

  • Once you’re done, click Save.

Registering and enabling a phone number for sign-in

Users must register at least one phone number as an authentication method before they can use SMS-based sign-in. If users already have a phone number registered for use with multifactor authenticator, they won’t need to reregister the number to use it with SMS-based sign-in.

Image #2 Expand
How to Set Up SMS-Based Authentication for Microsoft 365 and Azure Active Directory Users (Image Credit: Russell Smith)

 

If users need to add a phone number as an authentication method, they can do it here on the My Sign-ins page. Users will need to click Security info in the list of options on the left, click + Add method on the Security info screen, and then follow the on-screen instructions. Users can also choose ‘Phone – text’ as the default sign-in method.

Enabling a phone number for sign-in

If a user already had a phone number registered before SMS sign-in was enabled for the tenant, they will need to click the prompt on the My Sign-ins page to enable the number for phone sign-in.

Image #3 Expand
How to Set Up SMS-Based Authentication for Microsoft 365 and Azure Active Directory Users (Image Credit: Russell Smith)

 

Alternatively, Azure AD admins can add and enable phone numbers for users in the Azure administration portal.

Perform a SMS-based sign-in

Finally, let’s sign in using an account that has a registered phone number enabled for sign-in. Note that if multifactor authentication is enabled for the account, the user will not be able to sign in by SMS because text message is not a supported first factor.

  • In a web browser window, log in to a Microsoft 365 app or service using a phone number that is registered and enabled for sign-in. Enter the phone number without the country code and then click Next.
  • If the number has been used before to sign in, you may not be required to enter the country code in the next dialog. Otherwise, in the Sign in dialog, select the country code from the dropdown menu and then click Next.
Image #4 Expand
How to Set Up SMS-Based Authentication for Microsoft 365 and Azure Active Directory Users (Image Credit: Russell Smith)

 

  • In the Enter code dialog, type the code that you should have received by SMS to the registered phone number, and click Sign in.

And that is it! You should now be signed in to Microsoft 365 or Azure AD.

 

Related Topics:

BECOME A PETRI MEMBER:

Don't have a login but want to join the conversation? Sign up for a Petri Account

Register
Comments (0)

Leave a Reply

IT consultant, Contributing Editor @PetriFeed, and trainer @Pluralsight. All about Microsoft, Office 365, Azure, and Windows Server.
13 Email Threat Types to Know About Right Now

As email threats evolve and multiply, keeping track of them all—and staying protected against the many different types—becomes a complex challenge. Today, that requires more than just the traditional email gateway solution that used to be good enough.

In this eBook you will learn:

  • What are the most common and challenging email attacks for organizations?
  • How to defend against sophisticated email threats, such as spoofing, social engineering, and fraud
  • How to protect employees at the inbox level with the right technologies and security-awareness training
  • How to use a multilayered protection strategy to reduce susceptibility to email attacks and better defend your business and employees

Sponsored by: