What’s Text Message Authentication
SMS-based authentication allows users to log in without needing to remember their username and password. After enabling the feature for an account, users can enter their phone number at the login prompt instead of their username. They will then receive an authentication code via text message that they can use to complete the login.
This service is often mistaken for SMS-based Multi-factor Authentication, but they are not the same.
This authentication method makes it easier for frontline workers to access applications and services. It’s not recommended to enable this feature for users who could use other passwordless methods or a combination of credentials + MFA. It’s also important to note that the desktop Office apps do not support SMS-based auth. Therefore, you can only use the web app version of the apps and only by logging in via office.com. You also cannot use the mobile version of the apps, except for Teams, Company Portal and Microsoft Azure.
If you decide to enable the feature, you should consider limiting and standardizing the frontline worker’s permissions to what’s necessary.
If you are curious why you should prioritize other methods over phone-based auth, consider reading this always relevant article by Alex Weinert:
It’s Time to Hang Up on Phone Transports for Authentication – Microsoft Community Hub
Critical Considerations
- SMS-based authentication isn’t compatible with Azure Multifactor Authentication.
- The only mobile apps that support SMS-auth are Teams, Company portal and Azure.
- The users will need to use the web version of the Office apps and log in via office.com.
- You’ll have to set up phone numbers for each account before the users can sign in.
- A phone number can only be associated with one user.
- If you have alternatives to phone-based auth methods, use them.
General Requirements
PERMISSIONS:
- Being a Global Admin for the tenant
LICENCES:
- Each user enabled for the feature must have one of the following:
- Microsoft 365 F1 or F3
- Azure Active Directory Premium P1 or P2
- Enterprise Mobility + Security (EMS) E3 or E5 or Microsoft 365 E3 or E5
- Office 365 F3
Tips
- You can assign phone numbers to users using PowerShell for an easier setup experience.
How to enable the feature
- Create a group with the users that’ll need to authenticate using SMS.
- Open Authentication Methods | Azure AD
- Click on SMS (Preview). The feature is not in preview anymore, even if the portal states so at the moment of writing this guide.
- Click on “Yes” under “Enable”, then “Select groups”, and select the group you created in the first step. Complete the step by clicking “Select” and “Save”.
- To set a phone number, go into All Users | Azure AD, then select a member of the group you created in the first step.
- Go into “Authentication methods”, then click “Add authentication method”. From there, select “Phone number” and insert the phone number the user will use to sign in, then click “Add”.
- You can also add an authentication method via PowerShell:
# Replace the variables with the user you wish to add the auth method to and phone number you wish to assign
$User = "user@example.com"
$PhoneNumber = "+1 111111111"
Install-module Microsoft.Graph.Identity.Signins
Connect-MgGraph -Scopes UserAuthenticationMethod.ReadWrite.All
Select-MgProfile -Name beta
New-MgUserAuthenticationPhoneMethod -UserId $User -phoneType "mobile" -phoneNumber $PhoneNumber
# Get the phone number of the user
Get-MgUserAuthenticationPhoneMethod -UserId $UserIf you need to script this for multiple users, you can refer to the code below.
This script assumes you created a CSV file in “C:\” named contacts.csv, and that the CSV file has a column named UserName and a column named PhoneNumber. If your CSV file has different column names, you will need to update the script accordingly.
# Install the modules and login to Graph
Install-module Microsoft.Graph.Identity.Signins
Connect-MgGraph -Scopes UserAuthenticationMethod.ReadWrite.All
Select-MgProfile -Name beta
# Import the CSV file containing names and phone numbers
$contacts = Import-Csv -Path "C:\contacts.csv"
# Loop through each user and add their phone number for authentication
# If you changed the column names, replace these placeholders with the actual column names from the CSV file
foreach ($contact in $contacts)
{
$User = $contact.UserName
$PhoneNumber = $contact.PhoneNumber
New-MgUserAuthenticationPhoneMethod -UserId $User -phoneType "mobile" -phoneNumber $PhoneNumber
}
To learn more, refer to the following links:
Azvise 
Hello John,
great question. This does not help with controlling who can use SMS as a method for MFA for 99.9% of organizations.
That would be done by accessing the following link and disabling “Text message to phone”:
https://account.activedirectory.windowsazure.com/UserManagement/MfaSettings.aspx
Small note though. If you are enrolled in the “Authentication Methods Policy Convergence” preview (most people are not) you can use the SMS policy in this page to manage both SMS as sign-in (described in this article) and allowing SMS for MFA.
https://portal.azure.com/#view/Microsoft_AAD_IAM/AuthenticationMethodsMenuBlade/~/AdminAuthMethods
This will replace all the other portals, but very few organizations are using this portal this way right now.
LikeLike
Hello..great article…so just to clear this feature does not help with controlling who can use SMS for Multifactor Authentication correct ?
LikeLike