Securing sign‑ins with multi‑factor authentication is no longer optional—but not every MFA method offers the same protection. SMS, voice calls, and email one‑time passcodes (OTP) can all be intercepted or spoofed by attackers, especially through SIM‑swapping and phishing. The CIS Microsoft 365 Benchmark (control 5.2.3.5 L1) recommends turning these options off and moving users to stronger factors like the Microsoft Authenticator app or FIDO2 security keys. Below is a straightforward plan to make that change without disrupting your workforce.

Why Disabling Weak MFA Methods Matters

Text messages and voice calls travel over public telephony networks that criminals can hijack with cloned SIM cards or call‑forwarding tricks. Email OTP sounds convenient for B2B guests, yet unverified mailboxes are easy targets for credential stuffing.

By removing these weaker methods you cut a major attack path, align with Zero Trust, and satisfy compliance frameworks that increasingly flag telephony‑based MFA as “low” assurance.

Preparation: Know Your Audience

Before you flip any switches, capture a quick snapshot of who still uses SMS, voice, or email OTP. The Authentication Methods report in Microsoft Entra ID (Azure AD) reveals adoption patterns; that data lets you plan a phased rollout, communicate early, and avoid emergency support calls on Monday morning.

The Three‑Step Change in Microsoft Entra Admin Center

1. Go to Microsoft Entra admin center https://entra.microsoft.com/.

2. Click to expand Protection select Authentication methods > Select Policies.

3. Edit each legacy method—SMS, Voice Call, Email OTP. Toggle Enable to Off and click Save.Tip: if Save stays greyed‑out, briefly change the target scope (e.g., from “All users” to “Select groups”) then toggle again. It’s a known UI quirk.

From this point on, any user—internal or guest—who tries to register SMS, voice, or email OTP will be guided to modern options.

Life After Telephony MFA

Once weak methods are disabled, enforce Conditional Access rules that require a strong factor at every sign‑in, monitor risky sign‑ins for attempts to bypass app‑based MFA, and schedule quarterly reviews of Authentication Methods reports to ensure old habits don’t creep back.

Ready to Make the Switch?

PlexHosted—your Microsoft Cloud MSSP—can audit current MFA usage, guide users through Authenticator enrollment, and tune Conditional Access so you meet CIS 5.2.3.5 with zero downtime. If you’d like hands‑on help, reach out today and keep attackers off the easy path.