Hello, I’m an IT department and recently set this up for my organization. No, this is how Microsoft Authenticator works. The “enter the code shown on screen” thing for passwordless login is great, but it can’t always detect that you’re on the same device as the authenticator, so that’s awkward. The authenticator app always requires biometric authentication, this is an application/client-side setting that has nothing to do with the tenant. The delay between submitting a request and receiving the code is obviously not configurable, and sometimes it is quite bad (up to 10 seconds). On Android I have had the experience where after switching from the authenticator (which opened as a modal) back to the primary app, I could no longer re-open the authenticator app and see the number again, so I had to wait quite a while for the next request to go through.

It is just a pretty awkward experience from a phone, this has nothing to do with the tenant configuration. It’s smoother if you’re authenticating with your phone on a different device and the authentication servers aren’t feeling slow that day.

The only thing you CAN do as an IT admin is provide users alternative authentication options besides passwordless, including a standard 2FA code.

Edit: Oh fuck, you probably just meant the “authenticate twice a day” thing. Sorry. That’s configurable. Whether or not it’s appropriate really depends. It defaults to a much higher time period so evidently it’s on purpose. But it does suck.