We have a M365 tenant with MFA enforced for all users.
We can use either text message (SMS) or Microsoft Authenticator app on smartphone with a Time Based code (6 digit TOTP code).
We would like for some users to have the MFA set to "approval" mode. I.E. when the user try to login, the MS Authenticator ask the user to approve the sign-in request and the user simply need to push on the 'approve' button.
How can we configure this?
Note: we are aware this may be less secure and some users will simply approve any request even if they are not the originator. This is to be set up for very specific users which we trust to use this feature correctly.
You need to Enable passwordless phone sign-in authentication methods
To enable the authentication method for passwordless phone sign-in, complete the following steps:
Sign in to the Azure portal with an Authentication Policy Administrator account.
Search for and select Azure Active Directory, then browse to Security > Authentication methods > Policies.
Under Microsoft Authenticator, choose the following options:
a. Enable - Yes or No
b. Target - All users or Select users
Each added group or user is enabled by default to use Microsoft Authenticator in both passwordless and push notification modes ("Any" mode). To change the mode, for each row for Authentication mode - choose Any, or Passwordless. Choosing Push prevents the use of the passwordless phone sign-in credential.
To apply the new policy, click Save.
Hope this helps!