> leaving IT experts wondering, ‘Why would you pick Microsoft?’
Well I can tell you why people pick MS Authenticator - it's because microsoft basically forces it on you, uses dark patterns to avoid letting you use any other standard OTP app and doesn't give admins the tools to disable it.
As an admin, I can disable every single MFA method individually, including TOTP, but Microsoft Authenticator is force-enabled. When users go to enable TOTP (or are forced to), the option is called "Microsoft Authenticator", not something more generic. The QR code they get is not a standard TOTP one, so any other client will reject it. There's a small link below it letting you "use another app" which finally gives you a real TOTP QR code. This is INSANE!
And you have to do the "use another app" dance on every single login too... You know I have TOTP setup, you know I'm not using MS Authenticator.
To make matters worse(?), I have not been able to login to Teams at all in the last two weeks. I select "use another app" ... and nothing happens. Sigh.
It is astonishing how bad we can make software today. We used to at least try.
Works On My Machine (tm), your org's admin team probably missed a hidden checkbox that gets moved around between admin pages every odd hour (except on days divisible by 4, where it's missing entirely) (except during chinese new year) (except when that overlaps with a leap year) (except when an odd-numbered amount of users has the wrong license), but you can probably also do it powershell (except it's undocumented) (and deprecated)
...yeah, I don't know either why peopler dislike modern Microsoft.
Microsoft admin isn’t my day job, but I dealt with this exact thing the other day—the toggles for Microsoft Defender MFA are spread across Entra ID policies, Registration Campaigns, per-user settings, and more Microsoft subdomains I’d never heard of. After two hours the best I could do was add a Skip button to the MFA prompt when our users sign in.
I use the MS app for work, as it’s required as you say. I’m not sure our first-line support really minds though, as if people weren’t using this then they would be supporting a range of apps. It’s obviously unfortunate that it sort of sucks for them that they have to reset these things for people all the time, but I guess it’s the lesser of multiple evils.
That being said, maybe we should advise employees that they shouldn’t use it for personal things even though they have it as it sucks.
I use the MS app for work, as it’s required as you say. I’m not sure our first-line support really minds though, as if people weren’t using this then they would be supporting a range of apps. It’s obviously unfortunate that it sort of sucks for them that they have to reset these things for people all the time, but I guess it’s the lesser of multiple evils.
That being said, maybe we should advise employees that they shouldn’t use it for personal things even though they have it as it sucks.
We noticed this crap when we rolled out MS365. We immediately told all users to not use the MS authenticator.
The fact that Microsofts still hasn't fixed this should put in question their priorities in security and safety of all other products as well. This is just unacceptable.
Well I can tell you why people pick MS Authenticator - it's because microsoft basically forces it on you, uses dark patterns to avoid letting you use any other standard OTP app and doesn't give admins the tools to disable it.
As an admin, I can disable every single MFA method individually, including TOTP, but Microsoft Authenticator is force-enabled. When users go to enable TOTP (or are forced to), the option is called "Microsoft Authenticator", not something more generic. The QR code they get is not a standard TOTP one, so any other client will reject it. There's a small link below it letting you "use another app" which finally gives you a real TOTP QR code. This is INSANE!