It’s time to make Microsoft Authenticator more secure for your users. Since October 25, 2022, new Advanced Microsoft Authenticator security features are Generally Available. This blog article shows how to enable the new Advanced Microsoft Authenticator security features in Microsoft Entra admin center.
- Why is it important to implement these new Microsoft Authenticator security features and inform your users about them?
- Which security features are new available?
- How to configure Advanced Microsoft Authenticator security features
- With all the new security features enabled, how will the new user experience look like?
Why is it important to implement these new Microsoft Authenticator security features and inform your users about them?
A social engineering technique called MFA fatigue, also known as MFA push spam, is on the rise as attackers use it to bypass multi-factor authentication checks. Many times, repeated MFA notifications are triggered and the person targeted is contacted to accept the MFA request. After all, users are so overwhelmed that they accidentally click the Approve button or simply accept the MFA request to stop the flood of notifications on their device. Microsoft studies show that about 1% of users accept a simple approval request on the first try and that attacks using push notifications, voice confirmations, and SMS as the primary culprit are trending up. That’s why it’s so important to require users to enter the information on the login screen and have more context and protection.
Source: Microsoft
Source and further information:
Defend your users from MFA fatigue attacks
Which security features are new available?
| Security Feature | Description |
|---|---|
| Require number matching for push notifications | To increase security and reduce accidental approvals, admins can require users to enter the number displayed on the sign-in screen when approving an MFA request in Authenticator. |
| Show application name in push and passwordless notifications | Another way to reduce accidental approvals is to show users additional context in Authenticator notifications. This feature will show users which application they are signing into. |
| Show geographic location in push and passwordless notifications | This feature will show users their sign-in location based on IP address. |
| Registration campaign | Using the Microsoft Authenticator Registration Campaign, you can now nudge your users to set up Authenticator and move away from less secure telephony methods. |
| New Admin UX and Admin APIs | Admins can now better manage their Microsoft Authenticator app features with Admin UX and APIs. Use the new Configure tab in the Admin UX to enable/disable different features. |
At the end of February 2023, Microsoft will enable number matching for all Authenticator users and strongly recommends taking advantage of rollout controls and deploying these security upgrades to Microsoft Authenticator.
How to configure Advanced Microsoft Authenticator security features
The easiest way to find the new security features is via the Microsoft Entra admin center: https://entra.microsoft.com – Protect & secure – Authentication methods – Microsoft Authenticator
Alternatively, you can also access them via the Azure Portal: https://portal.azure.com – Azure Active Directory – Security – Authentication methods – Microsoft Authenticator
In the Basics tab, first make sure that the target user scope is set correctly:
The individual security features can now be set up in the Configure tab:
The default configuration is Microsoft Managed. This means that you give Microsoft control over when the feature is activated. For Require number matching for push notifications this would be the end of February 2023. If you set the features to Enabled, you can already roll out and pre-test them for pilot users.
The registration campaign can be activated as follows:
Microsoft Entra admin center: https://entra.microsoft.com – Protect & secure – Authentication methods – Registration campaign
Azure Portal: https://portal.azure.com – Azure Active Directory – Security – Authentication methods – Registration campaign
With all the new security features enabled, how will the new user experience look like?
1) Show application name in push and passwordless notifications
2) Show geographic location in push and passwordless notifications
3) Require number matching for push notifications
Registration campaign User Experience:
https://learn.microsoft.com/en-us/azure/active-directory/authentication/how-to-mfa-registration-campaign#user-experience
Source and further information:
Advanced Microsoft Authenticator security features are now generally available!
Gobisweb 