Microsoft 365 Message Center Archive

MC926195 - Entra ID: Expansion of WhatsApp as an MFA one-time passcode delivery channel

Message ID

MC926195

View in Message Center

Service

Microsoft Entra

Published

Nov 6, 2024

Tag

Major change
Feature update
User impact
Admin impact

Summary

Starting December 2024, Microsoft Entra will reintroduce WhatsApp as a channel for delivering MFA OTPs in India, with expansion to more countries. Users with WhatsApp will receive OTPs there, with SMS as a fallback. Organizations can disable this feature or opt for more secure methods like Microsoft Authenticator.

More information

In late 2023, Microsoft Entra started leveraging WhatsApp as an alternate channel to deliver multifactor authentication (MFA) one-time passcodes (OTPs) to users in India and Indonesia. We saw improved deliverability, completion rates, and satisfaction when leveraging the channel in both countries. The channel was temporarily disabled in India in early 2024. Starting early December 2024, we will be re-enabling the channel in India and expanding its use to additional countries.  

When this will happen:

Starting December 2024, users in India and other countries may start receiving MFA text messages via WhatsApp. Only users that are enabled to receive MFA text messages as an authentication method and already have WhatsApp on their phone will get this experience. If a user with WhatsApp on their device is unreachable or doesn’t have internet connectivity, they will quickly fall back to the regular SMS channel. In addition, users receiving OTPs via WhatsApp for the first time will be notified of the change in behavior via SMS text message. 

The sender agent in WhatsApp where users will see the OTPs will be branded as Microsoft with a verified checkmark. 


How this will affect your organization:

If you’re a Microsoft Entra workforce customer and currently leverage the text-message authentication method, we recommend you notify your helpdesk about this upcoming change.

Additionally, if you don’t want your users to receive MFA text messages through WhatsApp, you may disable text messages as an authentication method in your organization. Please note that we highly encourage organizations move to using more modern, secure methods like Microsoft Authenticator and passkeys in favor of telecom and messaging app methods.

This feature update is available by default.

For more information, see Phone authentication methods in Entra ID.

What you need to do to prepare:

This rollout will happen automatically with no admin action required. You may want to notify your users about this change and update any relevant documentation as appropriate.