Nowadays we see lots of environments being secured with Azure Multi Factor Authentication, which is great. However, where we as IT administrators would rather encourage users to use the Microsoft Authenticator App, users are still choosing less modern and user-friendly scenarios to handle their second factor sign-in, such as SMS or Voice calls.
These last mentioned second factor methods (SMS & Voice Call) are in my opinion the least secure and least user-friendly options of all the MFA methods available today (due to for example potential SIM-hijacking). Besides that, they don’t fit in to a password less strategy! Alex Weinert has written a great blog about why, which you can find here.
But how can we encourage users to start using the Authenticator App to improve the security posture of their second factor sign-in? Or even better: Make sure these users are prepped for a password less strategy? Apart from writing good instructions for your end users which they can follow to enroll within the Authenticator App, we still see that users are ignoring these messages. This because they think it is ‘okay’ right now when using SMS or Voice, for other users it ends up as an unread item in Outlook with low priority at the bottom of a very long ‘todo’ list.
So, what other options do we have today to encourage or end users today to move to the Authenticator App? Well since June this year there is a new feature called Nudge! Nudge will prompt your end users on sign-in to setup the Authenticator App if they have not done so already. It will keep prompting the end user each X days and will keep doing so until the end user has registered the Authenticator App for their account. Once the user has walked through these steps the primary authentication method is automatically change to the authenticator app.
NOTE: If the user has already setup the Authenticator App with their account but has not set it as their primary method, the Nudge functionality will not be triggered. Nudge is today purely used for users who have not setup an Authenticator App registration for their account yet.
Now what are the requirements to use Nudge within your environment:
- Your organization must have enabled Azure MFA; Nudge will not work for the initial MFA registration without the user being required for MFA. It will therefore trigger after the user has registered for MFA whereby the user did not use the Authenticator App.
- It only works if users have not yet set up the Microsoft Authenticator for push notifications on their account; If an Authenticator App registration is found for the user (even if it is inactive) the Nudge prompt will not appear.
- Admins need to enable users for Microsoft Authenticator using one of these policies:
- MFA Registration Policy – Users will need to be enabled for Notification through mobile app, if this option is disabled within the tenant the user will not get a nudge prompt.
- Authentication Methods Policy – Users will need to be enabled for the Microsoft Authenticator and the Authentication mode must be set to Any or Push. If the policy is set to Password less only, the user will not be eligible for the nudge.
Once all these requirements are in place, we can start implementing the feature!
Step 1: Run through the necessary configuration steps in Azure Active Directory
First, we will create two Security Groups, the ‘IdentityMan-Nudge-Users’ for the users who should be prompted with a Nudge to register the Authenticator App as a second factor.
The other group ‘IdentityMan-Nudge-Excluded-Users’ is there so, you as an administrator, can easily opt-out users so they will not be prompted with a Nudge to register the Authenticator App as a second factor.
NOTE: An exclude group can be helpful when you have included a group which is used for other purposes as well (like group-based licensing as example).
We will now enable the functionality using Graph as this cannot yet be done using the GUI. Once the groups are created, go to the Microsoft Graph Explorer as a Global Administrator or Authentication Policy Administrator and make sure you’re signed in. Hit the ‘three dots’ and hit ‘Select permissions’.
In here search for the following two permissions and make sure they are selected.
Once selected hit ‘Consent’.
Now on the right side of the screen, please select ‘Get’, enter the URL ‘https://graph.microsoft.com/beta/policies/authenticationmethodspolicy’ and hit ‘Run Query’. This will show the current configuration of all authentication method policies.
Within the output search for the ‘authenticationMethodsRegisterCampaign’. As you can see the current policy is set to ‘Disabled’ (if yours is set to ‘Default’ it means disabled as well).
Now prepare yourself to configure the policy via the Graph API, for that you can use the text below. In here make sure the following values (red bold text below) are configured according to your needs:
- snoozeDurationInDays (range between 0-14);
- includedTargets group ID (This is the object ID of the group ‘IdentityMan-Nudge-Users’);
- excludedTargets group ID (This is the object ID of the group ‘IdentityMan-Nudge-Excluded-Users’).
NOTE: When you configure the snoozeDurationInDays to ‘0’ the user is prompted each time during sign in. I would recommend you to keep this value as low as possible, if you ‘Nudge’ your end users more for registering the authenticator app the result of registrations will increase.
Copy and paste the text which you have just changed into the ‘Request body’, make sure to select ‘Patch’ enter the same URL as before ‘https://graph.microsoft.com/beta/policies/authenticationmethodspolicy’ and hit ‘Run query’.
If successful, the result should be ‘No Content – 204’.
NOTE: If you copy and paste the above values to Notepad or Notepad++ the quotes can get ‘scrambled’ and therefore Graph won’t accept your input. So if the Graph doesn’t accept the JSON input format mentioned above please make sure to checkout if the quotes didn’t get ‘scrambled’.
Now let’s verify the configuration again and see if it has been applied correctly, you can easily do this by putting the method back from ‘Patch’ to ‘Get’.
NOTE: It can take up to a minute or 10 before the policy becomes active, at that point your users are starting to receive the Nudge when they logon to the Azure Active Directory.
To make sure your users are eligible to receive this prompt, lets first check two settings. The first setting can be found on the ‘old’ Multi Factor Authentication settings page. On this page, make sure that under the ‘Verification options’ the checkbox for ‘Notification through mobile app’ is selected.
The second setting which needs to be checked is the ‘MicrosoftAuthenticator’ setting in Azure Active Directory. This can be found when going to the Azure-portal page, go to ‘Azure Active Directory’, click on ‘Security’ and hit ‘Authentication Methods’. Within this blade click on ‘Policies’ and select the ‘MicrosoftAuthenticator’ option.
In here make sure the setting Enable is set to ‘Yes’ and at least the test group we have created is included (but preferably select ‘All Users’). When the group is selected (or you’ve put the setting to ‘All Users’). Hit the ‘three dots’ and click ‘Configure’.
In here make sure the ‘Authentication Mode’ setting is set to ‘Any’ (meaning Push notifications, TOTP or Passwordless) or ‘Push’ (meaning Push notifications or TOTP), this as when the user is only eligible for ‘Passwordless’ the Nudge won’t appear.
Click on ‘Done’ when the authentication mode has been configured.
Verify the settings and hit ‘Save’ when done.
NOTE 1: If a user is targeted for both ‘Passwordless’ and ‘Push’ the Nudge prompt will still appear as the user is eligible for ‘Push’ notifications.
NOTE 2: If the above configuration is not correct the user will receive an error message about this which is shown below. If this is the case, please revise the Authentication Policies and walk through the above steps again.
Now add your user to the group which will enable the Nudge notification. With this last step the configuration in Azure Active Directory for Nudge has been finished!
Step 2: Test the user experience.
After a successful logon with multi-factor authentication the user will see the nudge below. This is what we have just enabled and is actually telling the end user, it’s great that you’ve used multi factor authentication via i.e. SMS or Voice call but there is a better more user friendly way to execute this multi factor authentication. When the user hits ‘Not now’ he or she is going to snooze the nudge, in my configuration example above I have used 7 days which implies it will take a week for the end user to be nudged again. If I hit ‘Next’ the enrollment of the Authenticator App will start.
At that point, the user is prompted with the normal experience to start the enrollment for the Authenticator App.
Once the user has walked through the whole wizard the Authenticator App is configured, but even better: it is immediately set as the default method for second factor authentications for the user!
Step 3: Monitor the user activity of enrollments as an administrator
Now to monitor the active enrollments of end users from an administrator point of view, go to the ‘Activity’ within the ‘Authentication Methods’ blade in Azure Active Directory.
In the ‘Activity monitoring’ we can see on the left side what your users have registered as an authentication method within the Azure Active Directory.
On the right side within the ‘Activity monitoring’ we can see what users have used the lately as a registration option within you Azure Active Directory.
You can even drill down into the logs, for a specific authentication method, which users have registered as new methods, an example for the app notifications is therefore shown below.
By turning on Nudge you as an administrator should therefore see an increase of the ‘App Notification’ method on both registration and registered methods. This gives you proof as an IT administrator that your Nudge setup for the authenticator app is successful, besides that you are one step closer to a safer environment whereby you could think of implementing the passwordless phone sign-in feature as a next step. More about this passwordless phone sign-in implementation can be found on my other blog post.
So don’t wait any longer, start using Nudge today to improve the security posture of your environment and to provide a more user friendly second factor logon experience for end users as well!
I again hope you enjoyed reading my blog about this new feature! Stay tuned for some more new great features of the authenticator app soon. This whereby I will explain more bits and bites about an improved Authenticator enrollment experience for your end users and how you can use the GPS Coordinates provided via the Authenticator App to either restrict or provide access for the end user.
Upcoming blogs in this series:
- Nudging your users to the Microsoft Authenticator App for MFA.
- Improving the Authenticator App enrollment experience for your end users.
- Using GPS Coordinates from the Authenticator app to approve or block access.