Skip to content

Entra ID’s MFA Evolution: Your SMS Backdoor Is Now Obsolete!

Upgrade your security now! With Entra ID’s MFA evolution, your SMS backdoor is now obsolete. Say hello to new and stronger authentication methods in your tenant!

Table of Contents

The Story Of The SMS Backdoor

In the fast-paced world of IT, keeping up means always moving forward with technology. Switching from old to new methods should be like taking small, careful steps so you don’t end up with an egg on your face!

Entra ID’s been teasing us with their new authentication methods for ages, and guess what? Microsoft kept pushing back the deadline. But mark your calendars: by September 30th, 2025, the old multi-factor authentication and password reset policies bite the dust. Don’t twiddle your thumbs waiting – take a cue from MSEndpointMGR’s blog post and get with the modern times!

Microsoft Entra Admin Center – Identity – Users – Authentication methods – Manage migration

Ah, the famous last words: “What could possibly go wrong?” But hey, if you’re rocking modern best practices across the board, things should align, right? Well, not always. Picture this: a shiny new authentication method stumbles upon an old-school setup. The issue? It’s not the new method itself but the stubborn legacy habits.

Instead of embracing Autopilot and letting users handle device onboarding, local IT insisted on the manual grind: reset, onboard, customize, repeat. And guess what? Thanks to IT techs adding their numbers for SMS authentication, MFA got a backdoor invite.

Microsoft Entra Admin Center – Identity – Users – Authentication methods – Add authentication method – Phone number

Whoopsie! Classic case of old habits dying hard!

Ensuring Your SMS Backdoor Is Now Obsolete

Sure, SMS MFA might be better than nothing, but let’s be real—it’s like using a paper umbrella on the west coast of Norway. But hey, if you’re stuck with it, why not jazz it up? By configuring SMS-based authentication for the first factor, you can slam the door on sneaky moves like using the same number as MFA for multiple accounts.

Phone number cannot be enabled for SMS sign-in because the number is not unique in your tenant.

Say goodbye to that old SMS backdoor—it’s officially out of style!

Bringing All The Pieces Together

Remember my shout-out to MSEndpointMGR and the wise words of Maurice, Jan Ketil, and Michael? If you’re on board, your Authentication Methods migration should be smooth sailing, leaving those legacy policies in the dust.

Microsoft Entra Admin Center – Identity – Users – Authentication methods – Add authentication method

Alright, folks, here’s the deal: SMS isn’t the gold standard for security, but sometimes you gotta work with what you’ve got, right? No worries, though—I’ve got a trick up my sleeve to turn that SMS backdoor into ancient history. Stick around, and let’s make some magic happen!

Use SMS to Sign In: Your SMS Backdoor Is Now Obsolete!

Here’s the scoop: When setting up SMS for MFA in those snazzy new Entra ID Authentication methods, tick the box to use SMS for sign-in.

Your SMS Backdoor Is Now Obsolete
Microsoft Entra Admin Center – Protection – Authentication Methods – Policies

This little move ensures each number can only be linked to one identity in the tenant. Trying to add the phone number to a second account gives the message: “Unable to add method. Unable to add Phone number. – Phone number cannot be enabled for SMS sign-in because the number is not unique in your tenant. The provided phone number is conflicted with the target user.” It’s like giving each number its own VIP pass!

If the end user swings by https://aka.ms/mfasetup, they’ll get a heads-up about using their number as ID.

https://aka.ms/mfasetup

The IT admin can also play around with this authentication method in the Entra ID user blade.

Disable SMS sign-in

But hey—SMS is still a legacy, and Microsoft will recommend you move to modern authentication methods!

Why not hop on the innovation train and embrace modern authentication methods? Hack Your Security with One Trick: Strong Authentication.

Legacy Admins Outpaced by Modern Methods

Get ready for a wild ride! If your IT admin insists on sticking to the old ways of petting devices instead of embracing Microsoft Intune’s fancy Autopilot features, guess what? They’re about to hit a roadblock when trying to add their phone number for MFA by SMS.

It’s time to hop on the modern train, folks — let us all leave SMS on the platform! Can’t hop on the Autopilot train just yet? No worries! Take the scenic route with a Temporary Access Pass (TAP).

Microsoft Entra Admin Center – Identity – Users – Authentication methods – Add authentication method – Temporary Access Pass

But remember, this is still not a recognized method. Don’t park here. Make it a short F1 pit stop. Keep moving forward and embrace the modern era!
Microsoft Intune, Autopilot, and Strong Authentication for the win!

External References

Published inAutopilotEndpointEntraIdentityIntuneSecurityWindows

Be First to Comment

Leave a Reply

Your email address will not be published. Required fields are marked *