The ability to snooze the Authenticator registration prompt when logging into your Microsoft 365 account puts a temporary freeze on the registration of the Microsoft Authenticator app for that day. This normally is a temporary measure to ensure to allow users a short period of time to ready themselves to successfully complete the configuration.
A short default period has been pushed by Microsoft to all tenants who are configured to Microsoft-managed of 3 days. This means a user can skip the registration of the app on login for 3 consecutive days, then on the 4th day, they will be forced to go through the registration to complete the setup.
In this post, I am going to show you how to change the default behaviour in the unlikely scenario that you may want to enable snoozing indefinitely.
Scenarios where this might be required
Enabling staff to snooze the registration of the Microsoft Authenticator app forever is not recommended, but still, there may be some scenarios where this is likely, but that doesn’t mean other solutions could be used.
One scenario is that a user has started with a company, but hasn’t been issued a company mobile, nor do they wish to install company email or the Authenticator app on their own mobile. This can be frustrating and often only caused by a lack of understanding from the end user regarding the safety of the personal data.
Instead, the company has opted to purchase a new mobile for the user which may not arrive for a couple of weeks. As the maximum configurable time for registration snoozing in the portal is 9 days, the last option is to skip registration indefinitely.
How to allow unlimited registration snoozes
For detailed steps to set up registration campaigns follow my guide How to Setup Registration Campaigns for MFA in Microsoft Entra.
To enable unlimited snoozes for Microsoft Authenticator registration, sign into Microsoft Entra as an Authentication Policy Administrator or Global Administrator and expand Protection, then select Authentication methods > Registration campaign and set Limited number of snoozes to Disabled.
Allow unlimited snoozes with Microsoft Graph PowerShell
The modification of your authentication methods policy can also be done using Microsoft Graph PowerShell. For this, you will need to have the latest version of Microsoft Graph PowerShell installed and have access to a Global Administrator to consent to permissions.
Connect-MgGraph -scope Policy.ReadWrite.AuthenticationMethod
$params = @{
registrationEnforcement = @{
authenticationMethodsRegistrationCampaign = @{
snoozeDurationInDays = 0
enforceRegistrationAfterAllowedSnoozes = $true
state = "disabled"
excludeTargets = @(
)
includeTargets = @(
@{
id = "all_users"
targetType = "group"
targetedAuthenticationMethod = "microsoftAuthenticator"
}
)
}
}
}
Update-MgBetaPolicyAuthenticationMethodPolicy -BodyParameter $params
Alternatively, if you prefer to work with JSON files instead of Hashtables, which I have used above with the Update-MgBetaPolicyAuthenticationMethodPolicy cmdlet, you can also make this change with the Invoke-MgGraphRequest cmdlet and define the request body as a JSON file.
$body = @'
{
"registrationEnforcement": {
"authenticationMethodsRegistrationCampaign": {
"snoozeDurationInDays": 5,
"enforceRegistrationAfterAllowedSnoozes": true,
"state": "disabled",
"excludeTargets": [],
"includeTargets": [
{
"id": "all_users",
"targetType": "group",
"targetedAuthenticationMethod": "microsoftAuthenticator"
}
]
}
}
}
'@
$uri = "https://graph.microsoft.com/beta/policies/authenticationmethodspolicy"
Invoke-MgGraphRequest -Uri $uri -Body $body -Method PATCH -ContentType "application/json"
Best practice
In reality, the scenarios where management might think that allowing unlimited registration skipping is the best approach can be easily navigated around while maintaining a fair amount of security. This might include a corporate VPN and temporary MFA bypass through Conditional Access, issuance of a one-time password, or loaning of a temporary mobile device. It might even be considered to temporarily allow SMS or Phone-based authentication through the Authentication methods policy.