M365 Changelog: (Updated) System preferred MFA method is Generally Available

MC565271 – Updated June 30, 2023: Microsoft has updated the rollout timeline below. Thank you for your patience.

In today’s landscape, organizations and users utilize various authentication methods with varying levels of security. Unfortunately, users often select less secure MFA methods, even when more secure options are available. This may be due to convenience, lack of awareness, or technical limitations.

To encourage the use of the strongest available method, Microsoft is introducing system-preferred authentication for MFA. This system prompts users to sign in with the most secure method they’ve registered and the one that’s enabled by admin policy. This transition from choosing a default method to always using the most secure method will promote better security practices. If users can’t use the prompted method, they can choose an alternative MFA method.

When this will happen:

Microsoft will begin rolling out in early July (previously late June) and expect to complete by early August (previously late July).

How this will affect your organization:

Microsoft managed will be rolled out as enabled. Admins will have the control to disable the feature.

Admins can enable the feature via the admin UX in the Azure Portal or GraphAPI. For example, if a user named “John Doe” registered both SMS and Microsoft Authenticator and used SMS as the default option to sign in, the system-preferred method (Authenticator) will be presented to the user once the feature is enabled.

Microsoft launched this with Microsoft-managed set to disabled. As mentioned above, Microsoft will be setting “Microsoft-managed” to enabled from the end of June 2023. While Microsoft highly encourage you to adopt this feature for your entire tenant, should you need to you can either scope the feature for a segment of your user population or disable it if necessary. The feature will ultimately be set to Microsoft-managed (enabled) for all tenants, with no option to disable it.

To ensure adequate preparation time, detailed timelines will be shared by June. Deploying this feature with the rollout controls is highly encouraged to enhance security and ensure users always use the most secure authentication method first. The feature is now available from your tenant.

What you need to do to prepare:

Microsoft strongly recommend that tenants enable the feature.

Help and support