Security: How to configure Advanced Microsoft Authenticator security features in the Microsoft Entra Admin Center and why it is important to implement them now

It’s time to make Microsoft Authenticator more secure for your users. Since October 25, 2022, new Advanced Microsoft Authenticator security features are Generally Available. This blog article shows how to enable the new Advanced Microsoft Authenticator security features in Microsoft Entra admin center.

  1. Why is it important to implement these new Microsoft Authenticator security features and inform your users about them?
  2. Which security features are new available?
  3. How to configure Advanced Microsoft Authenticator security features
  4. With all the new security features enabled, how will the new user experience look like?

Why is it important to implement these new Microsoft Authenticator security features and inform your users about them?

A social engineering technique called MFA fatigue, also known as MFA push spam, is on the rise as attackers use it to bypass multi-factor authentication checks. Many times, repeated MFA notifications are triggered and the person targeted is contacted to accept the MFA request. After all, users are so overwhelmed that they accidentally click the Approve button or simply accept the MFA request to stop the flood of notifications on their device. Microsoft studies show that about 1% of users accept a simple approval request on the first try and that attacks using push notifications, voice confirmations, and SMS as the primary culprit are trending up. That’s why it’s so important to require users to enter the information on the login screen and have more context and protection.

MFA Fatigue Attacks statistics
Source: Microsoft

Source and further information:
Defend your users from MFA fatigue attacks

Which security features are new available?

Security FeatureDescription
Require number matching for push notificationsTo increase security and reduce accidental approvals, admins can require users to enter the number displayed on the sign-in screen when approving an MFA request in Authenticator.
Show application name in push and passwordless notificationsAnother way to reduce accidental approvals is to show users additional context in Authenticator notifications. This feature will show users which application they are signing into.
Show geographic location in push and passwordless notificationsThis feature will show users their sign-in location based on IP address.
Registration campaignUsing the Microsoft Authenticator Registration Campaign, you can now nudge your users to set up Authenticator and move away from less secure telephony methods.
New Admin UX and Admin APIsAdmins can now better manage their Microsoft Authenticator app features with Admin UX and APIs. Use the new Configure tab in the Admin UX to enable/disable different features.
Advanced Microsoft Authenticator security features Overview

At the end of February 2023, Microsoft will enable number matching for all Authenticator users and strongly recommends taking advantage of rollout controls and deploying these security upgrades to Microsoft Authenticator.

How to configure Advanced Microsoft Authenticator security features

The easiest way to find the new security features is via the Microsoft Entra admin center: https://entra.microsoft.com – Protect & secure – Authentication methods – Microsoft Authenticator

Alternatively, you can also access them via the Azure Portal: https://portal.azure.com – Azure Active Directory – Security – Authentication methods – Microsoft Authenticator

In the Basics tab, first make sure that the target user scope is set correctly:

Advanced Microsoft Authenticator security features: Basics Settings

The individual security features can now be set up in the Configure tab:

Advanced Microsoft Authenticator security features: Configure Settings

The default configuration is Microsoft Managed. This means that you give Microsoft control over when the feature is activated. For Require number matching for push notifications this would be the end of February 2023. If you set the features to Enabled, you can already roll out and pre-test them for pilot users.

The registration campaign can be activated as follows:
Microsoft Entra admin center: https://entra.microsoft.com – Protect & secure – Authentication methods – Registration campaign
Azure Portal: https://portal.azure.com – Azure Active Directory – Security – Authentication methods – Registration campaign

With all the new security features enabled, how will the new user experience look like?

Current Microsoft Authenticator User Experience
New Microsoft Authenticator User Experience:
1) Show application name in push and passwordless notifications
2) Show geographic location in push and passwordless notifications
3) Require number matching for push notifications

Registration campaign User Experience:
https://learn.microsoft.com/en-us/azure/active-directory/authentication/how-to-mfa-registration-campaign#user-experience

Source and further information:
Advanced Microsoft Authenticator security features are now generally available!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s