Edit

Share via


Configure and enable users for SMS-based authentication using Microsoft Entra ID

Entra SMS-based authentication allows users to sign in using only a registered phone number and a one-time passcode (OTP) sent via SMS, no username or password required. This is different from Entra SMS multi-factor authentication, which typically requires a username, password, and SMS as MFA method. This authentication method is primarily designed to simplify sign-in experience of frontline workers and not recommended for Information workers (IW).

Entra also has a public preview of an alternative approach for frontline-workers called QR code authentication that organizations may want to consider for frontline shared device scenarios.

The rest of this article shows you how to enable SMS-based authentication as a first factor for select users or groups in Microsoft Entra ID. For a list of apps that support using SMS-based sign-in, see App support for SMS-based authentication.

Before you begin

Here are some important points before you start:

To simplify and secure sign-in to applications and services, Microsoft Entra ID provides multiple authentication options. SMS-based authentication lets users such as frontline workers enter an SMS code as a first factor for sign in. Users don't need to provide, or even know, their user name and password.

After their account is created by an identity administrator, they can enter their phone number at the sign-in prompt. They receive an SMS authentication code that they can provide to complete the sign-in. This authentication method simplifies access to applications and services, especially for Frontline workers.

Prerequisites

To complete this article, you need the following resources and privileges:

Known issues

Here are some known issues:

  • SMS-based authentication isn't currently compatible with Microsoft Entra multifactor authentication.
  • Except for Teams, SMS-based authentication isn't compatible with native Office applications.
  • SMS-based authentication isn't supported for B2B accounts.
  • Federated users won't authenticate in the home tenant. They only authenticate in the cloud.
  • If a user's default sign-in method is a text or call to your phone number, then the SMS code or voice call is sent automatically during multifactor authentication. As of June 2021, some apps will ask users to choose Text or Call first. This option prevents sending too many security codes for different apps. If the default sign-in method is the Microsoft Authenticator app (which we highly recommend), then the app notification is sent automatically.
  • Cross-tenant synchronization does not support users with SMS sign-in enabled.

Enable the SMS-based authentication method

There are three main steps to enable and use SMS-based authentication in your organization:

  • Enable the authentication method policy.
  • Select users or groups that can use the SMS-based authentication method.
  • Assign a phone number for each user account.
    • This phone number can be assigned in the Microsoft Entra admin center (which is shown in this article), and in My Staff or My Account.

First, let's enable SMS-based authentication for your Microsoft Entra tenant.

  1. Sign in to the Microsoft Entra admin center as at least an Authentication Policy Administrator.

  2. Browse to Entra ID > Authentication methods > Policies.

  3. From the list of available authentication methods, select SMS.

    Screenshot that shows how to select the SMS authentication method.

  4. Select Enable and select Target users. You can choose to enable SMS-based authentication for All users or groups.

    Note

    To configure SMS-based authentication for first-factor (that is, to allow users to sign in with this method), check the Use for sign-in checkbox. Leaving this unchecked makes SMS-based authentication available for multifactor authentication and Self-Service Password Reset only.

    Enable SMS authentication in the authentication method policy window

Assign the authentication method to users and groups

With SMS-based authentication enabled in your Microsoft Entra tenant, now select some users or groups to be allowed to use this authentication method.

  1. In the SMS authentication policy window, set Target to Select users.
  2. Choose to Add All users or groups, then select a test user or group, such as Contoso User or Contoso SMS Users.
  3. When you've selected your users or groups, choose Select, then Save the updated authentication method policy.

Each user that's enabled in SMS authentication method policy must be licensed, even if they don't use it. Make sure you have the appropriate licenses for the users you enable in the authentication method policy, especially when you enable the feature for large groups of users.

Set a phone number for user accounts

Users are now enabled for SMS-based authentication, but their phone number must be associated with the user profile in Microsoft Entra ID before they can sign-in. The user can set this phone number themselves in My Account, or you can assign the phone number using the Microsoft Entra admin center. Phone numbers can be set by those with at least the Authentication Administrator role.

When a phone number is set for SMS-based sign-in, it's also then available for use with Microsoft Entra multifactor authentication and self-service password reset.

  1. Search for and select Microsoft Entra ID.

  2. From the navigation menu on the left-hand side of the Microsoft Entra window, select Users.

  3. Select the user you enabled for SMS-based authentication in the previous section, such as Contoso User, then select Authentication methods.

  4. Select + Add authentication method, then in the Choose method drop-down menu, choose Phone number.

    Enter the user's phone number, including the country code, such as +1 xxxxxxxxx. The Microsoft Entra admin center validates the phone number is in the correct format.

    Then, from the Phone type drop-down menu, select Mobile, Alternate mobile, or Other as needed.

    Set a phone number for a user in the Microsoft Entra admin center to use with SMS-based authentication

    The phone number must be unique in your tenant. If you try to use the same phone number for multiple users, an error message is shown.

  5. To apply the phone number to a user's account, select Add.

When successfully provisioned, a check mark appears for SMS Sign-in enabled.

Test SMS-based sign-in

To test the user account that's now enabled for SMS-based sign-in, complete the following steps:

  1. Open a new InPrivate or Incognito web browser window to https://www.office.com

  2. In the top right-hand corner, select Sign in.

  3. At the sign-in prompt, enter the phone number associated with the user in the previous section, then select Next.

    Enter a phone number at the sign-in prompt for the test user

  4. An SMS message is sent to the phone number provided. To complete the sign-in process, enter the 6-digit code provided in the SMS message at the sign-in prompt.

    Enter the SMS confirmation code sent to the user's phone number

  5. The user is now signed in without the need to provide a username or password.

Troubleshoot SMS-based sign-in

You can use the following scenarios and troubleshooting steps if you have problems with enabling and using SMS-based sign-in. For a list of apps that support using SMS-based sign-in, see App support for SMS-based authentication.

Phone number already set for a user account

If a user has already registered for Microsoft Entra multifactor authentication and / or self-service password reset (SSPR), they already have a phone number associated with their account. This phone number isn't automatically available for use with SMS-based sign-in.

A user that has a phone number already set for their account is displayed a button to Enable for SMS sign-in in their My Profile page. Select this button, and the account is enabled for use with SMS-based sign-in and the previous Microsoft Entra multifactor authentication or SSPR registration.

For more information on the end-user experience, see SMS sign-in user experience for phone number.

Error when trying to set a phone number on a user's account

If you receive an error when you try to set a phone number for a user account in the Microsoft Entra admin center, review the following troubleshooting steps:

  1. Make sure that you're enabled for the SMS-based sign-in.
  2. Confirm that the user account is enabled in the SMS authentication method policy.
  3. Make sure you set the phone number with the proper formatting, as validated in the Microsoft Entra admin center (such as +1 4251234567).
  4. Make sure that the phone number isn't used elsewhere in your tenant.
  5. Check there's no voice number set on the account. If a voice number is set, delete and try to the phone number again.

Next steps