Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
560
Views
1
Helpful
7
Replies

DUO Entra CA Policy - Recent Microsoft Authenticator Behavior

Go to solution
Mobiusstrip
Level 1
Level 1

‎01-08-2026 10:58 AM

We have a conditional access (CA) policy configured in Entra for MFA. Cisco DUO is setup as an external authentication method (EAM). All of the other authentication methods policies are disabled in Entra.

We started adding users to the CA policy in early fall. Initially, the user experience was similar to the previous SMIL DUO setup we had been using but with an extra Cisco DUO verification screen. 

Sometime in the last month or so, something changed. Now when the user is initially added to the CA policy and they get their first MFA, an Install Microsoft Authenticator dialog pops-up rather than defaulting to DUO. The user has to go through five dialogs, choosing the correct (non-default) option on each just to get to a dialog that allows them to choose Cisco DUO. 

Nothing changed in our CA policy. There is no overlap with another MFA CA. Even if there was an overlapping CA, the MS Authenticator method has been disabled. We also don't have MFA configured at the individual user level.

It seems as though something changed with MS where Authenticator is being pushed as the default choice, even though it is not setup anywhere in Entra as an option.

Besides making the initial user experience more complicated, it is actually allowing users to choose an option other than DUO. 

In anyone else experiencing anything like this? 

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Philip D'Ath
VIP Alumni
VIP Alumni
In response to Mobiusstrip

‎01-11-2026 11:20 AM

I think this might be related to the global rollout of the Authentication Methods Migration that Microsoft are doing.
https://learn.microsoft.com/en-us/entra/identity/authentication/how-to-authentication-methods-manage

You can see if Microsoft has migrated your tenancy here:

PhilipDAth_0-1768159104036.png

Yes, we add the mobile phone number as an authentication method in Entra (select a user, and then under Authentication Methods).

 

View solution in original post

0 Helpful
7 Replies 7

Go to solution
Philip D'Ath
VIP Alumni
VIP Alumni

‎01-08-2026 11:29 AM

This is likely due to the Entra registration campaign policy.  This is used to enrol users in Microsoft Authenticator.

Go to https://entra.microsoft.com, then "Authentication Methods", then "Registration Campaign".  Most companies would probably just disable it.  At a minimum, you want to exclude all Duo users.

This is a screenshot of our setup.  We have it enabled for our break-glass style accounts (so we can get in if something goes wrong with Duo), but exclude all other users from it.  Actually, upon reflection, because this is only used for enrollment, we could probably disable it to.

 

In the Duo docs:
https://duo.com/docs/azure-ca
Search for "campaign", and you'll see the steps listed to disable it (as discussed above).

PhilipDAth_0-1767900324036.png

 

0 Helpful

Go to solution
Mobiusstrip
Level 1
Level 1
In response to Philip D'Ath

‎01-08-2026 01:52 PM

Thanks for the response. However, I had checked that and it is already disabled.

Mobiusstrip_3-1767909106767.png

 

Go to solution
Philip D'Ath
VIP Alumni
VIP Alumni

‎01-08-2026 02:33 PM - edited ‎01-08-2026 02:34 PM

I just remembered!  I have had this problem before!

When using EAM you must have at least one other Authentication method registered for the user (in Entra).  If you define nothing, it enrols the user in Microsoft Authenticator.  This requirement is being removed in the future (according to Microsoft), but it exists today.

What we did was add the user's mobile phone number in the Entra portal as an Authentication method to prevent Microsoft Authenticator enrollment.  We don't allow the mobile number to be used - but it needs to be added.

0 Helpful

Go to solution
Philip D'Ath
VIP Alumni
VIP Alumni

‎01-08-2026 02:53 PM

Also, once you have added a mobile phone as a user's authentication method, you'll want to remove Microsoft Authenticator as an authentication method.  This is because "Microsoft Authenticator" is considered strong authentication, and it will keep prompting the user to use it.

0 Helpful

Go to solution
Mobiusstrip
Level 1
Level 1
In response to Philip D'Ath

‎01-09-2026 06:11 AM

Thanks again for the response and information.

Where exactly did you add the mobile number to the user? Under the user in Entra? If they don't already have an MFA setup in Entra, I'm not seeing the option to add or modify MFA.

 As to why they don't already have an MFA status listed in Entra, let me give a little more background. We have DUO MFA currently configured at the federated tenant level. That covers all users. We are moving some users into a different subdomain under the same tenant. After they are moved, they are no longer covered by the MFA config at the tenant level. At the time of the move, I place the user into a group covered by the CA policy. Again, this was all working fine, up until a couple months ago.
The user doesn't appear to have the MFA status section under their account until they have already gone through their first MFA process after being moved. By then, they would have already gone through MS Authenticator defaulted setup process we are trying to avoid.

Mobiusstrip_0-1767967219276.png

The MFA status section is missing (below). Once they have that, it looks like I could set them to the external Cisco DUO method manually. 

Mobiusstrip_1-1767967280029.png

What you are saying about MS defaulting to Authenticator when it doesn't see an MFA, makes sense. Once I moved the user to a subdomain, they have no MFA configured, albeit briefly.  I'm just wondering about the change in behavior we saw in the last couple months. Is it related to the MFA enforcement that MS was pushing this year? I'm seeing various dates for various phases of the enforcement. 

 

 



0 Helpful

Go to solution
Mobiusstrip
Level 1
Level 1
In response to Mobiusstrip

‎01-09-2026 07:54 AM

Never mind, I figured it out. I can actually preemptively go into the user in Entra and immediately add the External authentication method that we labeled "Cisco DUO".  I have to go into Entra as part of the user move anyway, so it doesn't really add any steps.

I'm still curious about why things changed recently. Was the requirement to have at least one other authentication method something that happened in the last couple months?

In any case, thanks for your help. Whether it was the same issue as what you saw or not, your idea of manually adding an authentication method led me to this solution. 

0 Helpful

Go to solution
Philip D'Ath
VIP Alumni
VIP Alumni
In response to Mobiusstrip

‎01-11-2026 11:20 AM

I think this might be related to the global rollout of the Authentication Methods Migration that Microsoft are doing.
https://learn.microsoft.com/en-us/entra/identity/authentication/how-to-authentication-methods-manage

You can see if Microsoft has migrated your tenancy here:

PhilipDAth_0-1768159104036.png

Yes, we add the mobile phone number as an authentication method in Entra (select a user, and then under Authentication Methods).

 

0 Helpful
Quick Links
     
             Action Required: Duo CA Bundle Update      Duo Release Notes   Duo Discussion Forums      
 
 
Customers Also Viewed These Support Documents