System-preferred MFA methods
Enable the most secure MFA method which is registered by the User, may more methods are available but not yet configured:
System-preferred multifactor authentication (MFA) prompts users to sign in by using the most secure method they registered. Administrators can enable system-preferred MFA to improve sign-in security and reduce less secure sign-in methods like Short Message Service (SMS). Users don't need to set any authentication method as their default because the system always chooses and presents the most secure method they registered.
Default Ordner
When enabled, MFA methods are prioritized in the following order (system-preferred):
- Temporary Access Pass (TAP)
- Passkey (FIDO2)
- Certificate-based authentication (CAB)
- External authentication methods [Preview]
- Microsoft Authenticator notifications (Microsoft Auth App)
- Time-based one-time password (TOTP) (Third Party Auth App)
- Telephony (SMS and Voice)
Prerequisite - Authentication methods
Before enabling system-preferred MFA, review which authentication methods are currently available in your environment.
Prioritize enabling secure methods from the stronger side of the method comparison table:
If secure methods are not yet enabled for users, the above order will not improve your security posture.
Handling Downgrades - Authentication Methods
In some scenarios, users may be unable to use the most secure method (for example, Passkey in a virtual environment) or may require SMS for a specific application. In such cases, you have two options:
Option 1 - Use Authentication Strength [Recommended]
Configure a custom Authentication Strength combination and apply it with Conditional Access to your scenario:
Option 2 - Adjust Authentication methods Target
Modify the scope of Authentication methods and include or exclude a specific Group from the Target:
Note
Keep in mind that the user is not able to register a stronger method, when this is actively prevented, so this should be reviewed periodically to avoid limiting future improvements.
Enable - System-preferred MFA
The setting is in most tenants already enabled in the "Microsoft managed" or "Enabled" state, but always worth verifying:
Summary
I personally hope you have learned one or two things even if the feature may already was enabled in your tenant. System-preferred MFA simplifies the user experience and strengthens your organization’s sign-in security.
Wishing you a secure and productive week ahead!
Reference:
- System-preferred multifactor authentication - Authentication methods policy
- Microsoft Entra: New order of system-preferred MFA methods for CBA
- Microsoft Entra: New order of system-preferred MFA methods for CBA
- Migrate to the Authentication methods policy in Azure Active Directory by September 30, 2025
- Authentication methods policy
- Microsoft managed settings