Improving the Microsoft Authenticator App Notifications with Number Matching and Additional Context

The Microsoft Authenticator App is these days used a lot by organizations to secure environments with Azure Multi Factor Authentication, which is great and the most secure option to perform Multi Factor Authentication. Of course, there are other ways to perform Multi Factor Authentication, which are SMS & Voice Calls, these are in my opinion the least secure and least user-friendly options of all the MFA methods available today (due to for example potential SIM-hijacking). Besides that, they don’t fit in to a password less strategy! Alex Weinert has written a great blog about why, which you can find here.

So, a first call out (from me) to every organization who hasn’t don’t this already, is to encourage users to start using the Authenticator App to improve the security posture of their second factor sign-in. And even more important to make the Multi Factor prompts even more user friendly for your end users! This can easily be done by implementing ‘Nudge’ for the Authenticator App, more details on how to implement this in your environment can be found in this blog.

Having said that, what about improving the notifications within the Authenticator App to make things even more secure and recognizable for your end users? Well since a week or two, two additional features became public preview which are:

  • Number matching – When a user responds to an MFA push notification using Microsoft Authenticator, they will be presented with a number which they need to type into the Authenticator app to complete the approval.
  • Additional context in notifications – When a user receives a Passwordless phone sign-in or Multi Factor Authentication push notification in the Authenticator app, they’ll see the name of the application and the sign-in location (based on their IP).

Both options will increase the security posture of Multi Factor Authentication prompts within your organization. This as the first option called Number Matching will require the user to type in the number, shown during the sign-in process, into the Authenticator App. This first option limits the accidental approvals down to a minimum! The second option, called Additional Context in Notifications will show the end user which Identity is performing the Multi Factor Authentication request, which Application they are logging into and which location the sign-in request comes from, based on their browse IP address. This second option will let the users think twice before they approve their Multi Factor Authentication request (either with ‘Number Matching’ or the well-known ‘Approve / Deny’ option).

Now to use both of these new features there are three important things to keep in mind which are:

  • If you are using the Azure MFA AD FS adapter functionality, please upgrade the AD FS adapter first to make use of the number matching feature, more information can be found here.
    (Although I would strongly recommend to use Staged Migration to move of AD FS).
  • If you are using the Azure MFA NPS Extension please upgrade the NPS Extension first to make use of the number matching feature, more information can be found here.
  • Number matching for admin roles during SSPR is pending and not available yet today.

Now that we know the above, let us have a look at the steps which you need to take from a technical perspective and how that looks from an end user perspective so you can drive the right adoption and inform your users correctly as well!

How to enable the ‘Number matching’ feature for the Authenticator App!

To make sure your users can use this new feature, called Number Matching, let’s make sure your Azure Active Directory is configured correctly. The first thing we need to check are the ‘old’ Multi Factor Authentication settings page. On this page, make sure that under the ‘Verification options’ the checkboxes for ‘Notification through mobile app’ & ‘Verification code from mobile app or hardware token’ are selected.

Once this is done let’s configure the ‘Microsoft Authenticator’ setting in Azure Active Directory. This can be found when going to the Azure-portal page, go to ‘Azure Active Directory’, click on ‘Security’ and hit ‘Authentication Methods’. Within this blade click on ‘Policies’ and select the ‘Microsoft Authenticator’ option.

In here make sure the setting Enable is set to ‘Yes’ and a test group is included, in my case ‘IdentityMan-Users’ (but preferably select ‘All Users’). When the group is selected (or you’ve put the setting to ‘All Users’). Hit the ‘three dots’ and click ‘Configure’.

In here make sure the ‘Authentication Mode’ setting is set to ‘Push’ (meaning Push notifications or TOTP) or ‘Any’ (meaning Push notifications, TOTP or Passwordless).

NOTE: This functionality can also be enabled on the ‘Passwordless’ option but won’t have any impact as it’s already part of the Passwordless experience!

Next to the Authentication Mode, make sure to configure the ‘Require number matching’ feature as well. In here make sure the setting ‘Require number matching’ is therefore set to ‘Enabled’.

NOTE: Microsoft Managed in here means that the functionality will be enabled by default for all tenants a few months after general availability (GA) of the feature. So, if you want to prepare your users, start today by testing out the feature or disable the feature (not recommended though!) until you’re ready to roll-out globally in your organization!

Click on ‘Done’ when both settings have been configured.

If you in the previous setting you have chosen for the ‘Push’ setting, let’s add a separate group as well as that will use the Passwordless experience enrollment as well (if you have chosen for ‘any’ you can ignore the next 4 steps). Therefore, again include a test group, in my case ‘Password-less Phone Sign-in Users’. When the group is selected, hit the ‘three dots’ and click ‘Configure’.

In here select ‘Passwordless’ as the ‘Authentication Mode’.

And select ‘Disabled’ within the ‘Require number matching’ feature here as Passwordless is using this functionality by default!

NOTE: As you can see the ‘Enabled’ option is greyed out in the above print screen, this is correct behavior as the feature can only be targeted to ONE single Security Group in one single targeted Microsoft Authenticator policy.

Click on ‘Done’ when both settings have been configured.

Verify the settings and hit ‘Save’ when done.

Now we have (re-)configured the Authenticator App experience within the Azure Portal, make sure your users are added to the group(s) you have added to the Microsoft Authenticator Policy above. With this last step the configuration in Azure Active Directory has been finished and your users can now use the ‘Number Matching’ feature, which we just enabled, while enrolling for Multi Factor Authentication, signing in and performing Multi Factor Authentication, as well as a Passwordless Sign-in. All three end user experiences with ‘Number Matching’ enabled are shown below.

1. Enrolling for Multi Factor Authentication Behavior

2. Signing in and performing Multi Factor Authentication behavior

3. Signing in with Passwordless behavior

Besides sign-ins this feature is supported as well during a self-service password reset, when you have enabled the ‘App Notification’ option as an administrator within the self-service password reset authentication methods. The behavior which your end users will see is shown below.

Now the ‘Number matching’ feature is enabled within your tenant your users can start using the feature and you have prevented users from ‘accidentally’ approving bad sign-ins. Now the security level of your tenant has been increased let us have a look at the second option of this blog, which is the ‘Additional Context’ feature.

NOTE: If you are using the Azure MFA NPS Extension and want to make user of the number matching feature via the Azure MFA NPS extension please make the necessary registry configuration changes, more information can be found here.

Enable the ‘Additional Context’ in Authenticator App Notifications feature!

To make sure your users can use this new feature, called Additional Context, let’s make sure your Azure Active Directory is configured correctly. For this configure the ‘Microsoft Authenticator’ setting in Azure Active Directory. This can be found when going to the Azure-portal page, go to ‘Azure Active Directory’, click on ‘Security’ and hit ‘Authentication Methods’. Within this blade click on ‘Policies’ and select the ‘Microsoft Authenticator’ option.

In here make sure the setting Enable is set to ‘Yes’ and a test group is included, in my case ‘IdentityMan-Users’ (but preferably select ‘All Users’). When the group is selected (or you’ve put the setting to ‘All Users’). Hit the ‘three dots’ and click ‘Configure’.

In here make sure the ‘Authentication Mode’ setting is set to ‘Push’ (meaning Push notifications or TOTP) or ‘Any’ (meaning Push notifications, TOTP or Passwordless).

Next to the Authentication Mode, make sure to configure the ‘Show additional context in notifications’ feature as well. In here make sure the setting ‘Show additional context in notifications’ is set to ‘Enabled’.

NOTE: Microsoft Managed in here means that the functionality will be enabled by default for all tenants a few months after general availability (GA). So, if you want to prepare your users start today by testing out the feature or disable the feature until you’re ready to roll-out in your organization!

Click on ‘Done’ when both settings have been configured.

NOTE: If you in the previous setting you have chosen for the ‘Push’ setting as authentication mode and want to configure the same behavior for a separate group which is using the ‘Passwordless’ authentication mode you will see a notification that this isn’t possible. This is expected behavior as the feature can only be targeted to ONE single Security Group in one single targeted policy. I would therefore strongly recommend using one single target policy for your production users which has the authentication mode set to ‘Any’ so you can use all features for your end users!

Once ready, verify the settings and hit ‘Save’ when done.

Now we have (re-)configured the Authenticator App experience within the Azure Portal, make sure your users are added to the group(s) you have added to the Microsoft Authenticator Policy above. With this last step the configuration in Azure Active Directory has been finished and your users can now use the ‘Additional Context in notification’ feature, which we just enabled, while signing in and performing Multi Factor Authentication as well as a Passwordless Sign-in. Both end user experiences are show below with both ‘Number Matching’ and ‘Additional Context in Notification’ enabled.

1. Signing in and performing Multi Factor Authentication behavior

2. Signing in with Passwordless behavior

Compared to the ‘Number Matching’ feature, the ‘Additional Context in Notification’ feature is unfortunately not available during a Multi Factor Authentication enrollment (which is explainable) and during the self-service password reset process (☹).

We now have configured and tested both the ‘Number Matching’ and ‘Additional Context’ features which improves the security posture of the tenant and informs your users about the approval requests they receive with additional context in the Microsoft Authenticator App.

Conclusion

By combining the ‘Number Matching’ and ‘Additional Context’ features with Nudge, the improved enrollment experience and using GPS Coordinates to approve or block access, the Microsoft Authenticator App is definitely the way to go to secure your Azure AD environment. Let’s say goodbye to methods like SMS & Voice calls and give the Microsoft Authenticator App a warm welcome within your environment if you haven’t already!

I hope you again enjoyed reading my blog about this feature and stay tuned for some more new great features of the authenticator app in the future!

Blogs in this series:

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s