(Yes) User1 is in Group1. The passwordless policy is targeted at Group1. User1 has the app registered for "push notification," but not yet for "phone sign-in." Once User1 opens the app and enables phone sign-in, all prerequisites will be met, and they will be prompted for passwordless authentication.

(No) User2 is in Group2. The passwordless policy is not targeted at Group2. Therefore, even if User2 enables phone sign-in within their app, the authentication method is not enabled by policy for their account. They will not be prompted for passwordless sign-in.

(No) User3 has "None" registered. A fundamental prerequisite for passwordless phone sign-in is registering the Microsoft Authenticator app. Since User3 has not even registered the app, they cannot use the feature without significant "further action."

Microsoft: "Enable passwordless sign-in with Microsoft Authenticator." Microsoft Learn (Microsoft Entra ID documentation). Accessed October 20, 2025.

Reference (Section): "Prerequisites" and "Enable phone sign-in from the app."

Content: This documentation confirms two key points:

A prerequisite is that "The Microsoft Authenticator app registered to the user's Microsoft Entra account." (This rules out User3).

After the admin enables the policy, "the user... need[s] to enable phone sign-in... from within the Microsoft Authenticator app." (This is the step User1 must take).

Microsoft: "Authentication methods in Microsoft Entra ID - Microsoft Authenticator app." Microsoft Learn (Microsoft Entra ID documentation). Accessed October 20, 2025.

Reference (Section): "Enable and configure."

Content: This source details how the policy is configured, including the "Include" and "Exclude" tabs for targeting specific users and groups. This supports the reasoning that the policy is scoped only to Group1, thereby excluding Group2.