If the new user account has MFA enabled in the per user (legacy) way, under Microsoft 365 admin center -> Active users -> Multi-factor authentication, then Microsoft may insist on a phone number being added at login with no option for other methods to prove identity. I.e. no authenticator app, email or other MFA.

To fix this use the “Disable MFA” option in the Per-user multifactor authentication screen.

To transition new users to MFA, try the following:

1. https://entra.microsoft.com/
2. Groups -> All Groups -> New group – add a security group named “MFA Users”, add new members.
3. Entra -> Protections -> Authentication methods -> Policies
4. Enable the preferred methods, e.g. Microsoft Authenticator, Third Party OATH tokens, Email – enable only for the “MFA Users” group so as not to interfere with existing user accounts (use All Users if you are ready to force upon all users).
5. Now when the new users sign in to a new location they should be prompted to configure their MFA method.

• The above procedure does not work – to use MFA on a new user account simply add the MFA method within the users account (account.microsoft.com), under Password section. The user will then have to use MFA when accessing limited screens such as Security info.

Note: Microsoft’s MFA is a complete debacle. Microsoft regularly changes policies, behaves inconsistently, makes it difficult to manage, has poor outdated documentation and is trying to force businesses to pay for consistent MFA with P1 and P2 licenses. Small businesses should consider switching to LibreOffice and use FastMail for email.