Recently some users were receiving a notification when they were logging into Microsoft cloud apps or SSO applications that stated:

Protect your account.
For a faster and safer way to sign in, your organization requires you to use Microsoft Authenticator.

Unfortunately we have some users who cannot use Microsoft Authenticator. So I needed to turn this off. Microsoft tier 1 support was not helpful. Maybe if I hadn’t found the answer on my own they would’ve escalated it to someone who knew how to fix this, but I never got that far.

To fix this you need to disable or otherwise change a couple of settings in Entra admin center. Below are the options I changed but change whatever is best for your organization.

First, in Entra Admin Center, go to Protection \ Authentication Methods \ Settings. Under “System-preferred multifactor authentication” set State to disabled.

Second, still in Authentication methods, choose “Registration Campaign”. Under settings set the State to disabled.

To test the fix have an affected user try to log into something in a Private tab. I found some users still got the prompt in previously used browsers.

It’s not clear to me why Microsoft made this change to push Authenticator. It’s been a while since I’ve looked but I remember the Registration Campaign having more Authentication Method options. Now there is only Microsoft Authenticator.