Azure MFA - Office Phone Method RRS feed

  • Question

  • Hi Team,

    Users setup MFA using the following link https://aka.ms/mfasetup . 

    There is a option call Office phone. Users are not able to setup the same. I have gone through the following link https://support.microsoft.com/en-in/help/3045904/users-can-t-change-their-office-phone-number-when-they-set-up-azure-mu and i understood that Users can't make office phone as preferred contact method.

    Can you please help me understand why the privilege is not available for the user.

    Wednesday, August 16, 2017 8:17 AM

All replies

  • Since these users are created in the On-Prem AD, there are some fields in the User Objects that are locked and only the On-Prem Domain Admins are permitted to make those changes. This is by design.

    The article on Controlling Access to Objects in Active Directory Domain Services talks about this in detail.

    Do click on "Mark as Answer" on the post that helps you, this can be beneficial to other community members.

    Wednesday, August 16, 2017 10:43 AM
  • In my test environment i have entered a office phone for a test user and synced it using Azure AD Connect and it is also synced to Azure AD now. When i try to enable the "Call to my office phone" still am getting an error msg stating "Contact your admin if you need to update your office number. Do not use a Lync phone.". If it is by design, the message "Contact your admin if you need to update your office number. Do not use a Lync phone." gives a hope like this is possible if contacted admin

    My question is simple. 

    1. Can a user has the flexibility to use "Call to my office phone" option.

    2. If so what is to be done to make it work.

    Wednesday, August 16, 2017 11:00 AM
  • Yes, Office Phone as a contact method is an option for Azure MFA Verification. Ref: Use your office phone as the contact method.

    The possible reason of the message that you are getting in your test environment is that the option for Office Phone for the sync'd user is not updated. Suggest you to check on that.

    Do click on "Mark as Answer" on the post that helps you, this can be beneficial to other community members.

    Wednesday, August 16, 2017 1:54 PM
  • I have the same scenario as you, Pravin, same error.  I thought maybe it was because my account is enabled for Skype for Business PBX dialing, but users without it enabled have the same error.  Did you find a solution to be able to use the office phone option as a backup method?
    Friday, December 15, 2017 6:58 PM
  • Hi Neelesh, what do you mean about checking if the Office Phone option for a sync'd user is updated? 

    I can see the properties of the users in the O365 admin portal and see they (including myself) have a phone number (in the E.164 format by the way like +15558888 for US number).   It is sync'd from AD telephoneNumber attribute.  However, like Pravin, when you go to enable Office Phone option for MFA verification it does not have any number filled in and you cannot fill one in yourself, and is accompanied by that error "Contact your admin if you need to update your office number. Do not use a Lync phone."

    I would expect their telephoneNumber value to be shown.

    Need help! Thanks.

    Friday, December 15, 2017 7:46 PM
  • Hello,

    I have the same problem and need your help.

    Thanks in advance.

    Best regards.

    Friday, December 22, 2017 1:50 PM
  • The E.164 format is not suitable for MFA. There should be a space between +1 and 5558888, otherwise the phone number is not shown.
    I've fixed my problem by adding a space betweend the country code and the rest of the phone number but still don't know if it has any impact on Skype for business.

    It's weird that Azure AD does not recognize the E.164 code => this would make Azure AD better :)

    Sunday, January 14, 2018 6:58 PM
  • I like the idea of using the office phone number.  How do I add my extension number, so the call doesn't go to the receptionist?

    Friday, March 23, 2018 3:22 PM
  • In the Additional Security Verification page, you would find the option to add the Office Phone along with Extension.

    Ref: Manage your settings for two-step verification

    Do click on "Mark as Answer" on the post that helps you, this can be beneficial to other community members.

    Sunday, March 25, 2018 3:20 AM
  • it is because that attribute is either synchronized from on premises or manually set up by the administrator and I think the thought behind that is that being an office phone number users should not be allowed to change it because they cannot take their office phone with them and is assigned by the company.


    Monday, March 26, 2018 6:49 AM
  • I would like to use an extension in the alternate authentication phone field.  This is because reception picks up our main office number.  I want to enter our unpublished "back door" number and my extension.  This way, the call from Microsoft gets routed straight to my desk.  Otherwise I can't use MFA and my office phone.
    Wednesday, May 16, 2018 1:15 PM
  • You can follow the steps outlined by me on the earlier post and that should do the trick.
    Wednesday, May 16, 2018 4:42 PM
  • You can follow the steps outlined by me on the earlier post and that should do the trick.
    I have the same question: How do I add my extension? My option to add the extension is grayed out in my MFA preferences as the office phone info is synced from AD. I can't find a "Phone extension" AD attribute... Any ideas?
    I have changed the format of the phone number in AD to +1 (###) ###-#### and it call our main number. I've tried adding commas (i.e. (###) ###-####,, ####) but I just get an invalid format message.
    • Edited by ChrisF_ Monday, June 4, 2018 1:27 PM
    Monday, June 4, 2018 1:23 PM
  • When the Office Phone information is synchronized from the On-Premises, you would need to contact the on-premises Admin to have the Extension added to your phone information.

    If this answer was helpful, click “Mark as Answer” or Up-Vote. To provide additional feedback on your forum experience, click here

    Saturday, June 9, 2018 2:53 PM
  • Use this format in the Telephone number attribute:

    +1 ########## x###

    Wednesday, June 13, 2018 3:28 PM
  • Use this format in the Telephone number attribute:

    +1 ########## x###

    Hi all,

    this format will sort the phone number in MFA configuration correctly here: https://aka.ms/MFASetup

    But no phone calls can be made by Microsoft with this format!!!

    My office number is located in Germany and I set up the number in Active Directory as follows which can be displayed in MFA setup page correctly without receiving phone calls:

    +49 123456x789

    +49 123456 x789

    +49 123456 x 789

    It is not important if I use space before the extension number.

    The only format which I tested and the calls could be made are as following:

    +49 (12) 3456 - 789

    +49 123456 - 789

    +49 123456 789

    +49 123456789

    Note1: There should be a space always after the country code, otherwise the number will be ignored by Azure MFA.

    Note2: The above formats do not list extension on the MFA setup page.

    Could anyone find the correct formatting which can be worked and display the extension in the extension box too?

    • Edited by Bamsy.XV Wednesday, July 11, 2018 12:53 PM mistyping
    Wednesday, July 11, 2018 12:49 PM
  • @Bamsy.XV : Thanks for updating the forum with the solution that worked for you, which might help other community members.

    • Edited by Ajay Kadam Friday, July 13, 2018 10:33 AM
    Friday, July 13, 2018 10:33 AM
  • You're welcome. Actually, Microsoft should clarify these in its user guides clear and loud!!!
    • Edited by Bamsy.XV Friday, July 13, 2018 12:12 PM
    Friday, July 13, 2018 11:52 AM
  • Any solution for this? We need to get this working since we cannot put any of the above formats in MFA since all of them result in Invalid phone number. Please provide a phone number in following format: 999 999 9999

    Since the extension appears with the phone number and not in the Extension box making the string too long outputting the error in red above. This causes the formatting error.

    Friday, September 14, 2018 3:27 PM
  • I'm playing with this now... 

    Although I haven't tested the call-back yet, I was able to get the extension field populated by using the following format:

    +1 xxxyyyzzzz x1111

    Example:  +1 6103331111 x4444

    The 'x' before the extension caused it to populate properly in the extension field.

    • Proposed as answer by Mark Daniel Monday, October 28, 2019 2:02 PM
    Wednesday, October 24, 2018 6:16 PM
  • Were you able to get the call back to work using an extension?
    Friday, November 9, 2018 7:10 PM
  • I just tested it and it did work.  The phone received the recorded message, required two # presses, and approved properly.  We setup a test (VoIP) phone that did not require any key be pushed, before dialing the extension.

    Next week, we are going to see if it will work if the phone system requires a user to press '1' before entering the extension.  I will put an x1####   in the extension section, to simulate the '1' first.  I'll let you know if that works after testing.

    Friday, November 9, 2018 10:14 PM
  • Any update to this from MS?!? I see they are previewing a new combined registration for MFA and SSPR but appear to have still not addressed the inability to handle white space separators <space, dash, paren's> and properly use and extension in the import (I would think the e164 format of ;ext= would make the most sense?).
    Tuesday, July 9, 2019 6:53 PM
  • This worked perfectly for us.
    Monday, October 28, 2019 2:02 PM