System-preferred multifactor authentication prompts users to sign in by using the most secure method they have registered.

At sign-in, the authentication process evaluates which authentication methods are registered for the user, and then the user is prompted to use the most secure method that they have registered. The current order of authentication methods set by Microsoft is listed below, but this can change when more secure methods are released

1. Temporary Access Pass
2. Certificate-based authentication
3. FIDO2 security key
4. Microsoft Authenticator push notifications
5. Time-based one-time password (Hardware and software tokens)
6. Telephony (SMS and phone Calls)

This feature should now be in Public Preview (March 2023). This feature is expected to be enabled by default by October 2023.

Current timeline:

• At GA (in April), Microsoft managed will be set to “disable”. Admins will have the UX and the toggle will be available to enable and disable the feature.
• At GA+2 months (June), Microsoft managed will be set to “enable”. The toggle will still be available to enable and disable the feature.
• At GA+ 6 months (October), Toggle will be taken away and the feature will be enabled for all by default.

Enabling system preferred MFA in Microsoft Entra admin center

1. Sign into Microsoft Entra – Microsoft Entra admin center
2. Click Azure Active Directory > Protect & secure > Authentication methods > Settings
3. Under System-preferred multifactor authentication set the state to Enabled
4. Under State, set Target to All users
5. Click Save