Nowadays we see lots of environments being secured with Azure Multi Factor Authentication, which is great. However, where we as IT administrators would rather encourage users to use the Microsoft Authenticator App, users are still choosing less modern and user-friendly scenarios to handle their second factor sign-in, such as SMS or Voice calls.
These last mentioned second factor methods (SMS & Voice Call) are in my opinion the least secure and least user-friendly options of all the MFA methods available today (due to for example potential SIM-hijacking). Besides that, they don’t fit in to a password less strategy! Alex Weinert has written a great blog about why, which you can find here.
But how can we encourage users to start using the Authenticator App to improve the security posture of their second factor sign-in? Or even better: Make sure these users are prepped for a password less strategy? Apart from writing good instructions for your end users which they can follow to enroll within the Authenticator App, we still see that users are ignoring these messages. This because they think it is ‘okay’ right now when using SMS or Voice, for other users it ends up as an unread item in Outlook with low priority at the bottom of a very long ‘todo’ list.
So, what other options do we have today to encourage or end users today to move to the Authenticator App? Well since June this year there is a new feature called Nudge or as know today the Registration Campaign! The Registration Campaign will prompt your end users on sign-in to setup the Authenticator App if they have not done so already. It will keep prompting the end user each X days and will keep doing so until the end user has registered the Authenticator App for their account. Once the user has walked through these steps the primary authentication method is automatically change to the authenticator app.
NOTE: If the user has already setup the Authenticator App with their account but has not set it as their primary method, the Registration Campaign functionality will not be triggered. Registration Campaign is today purely used for users who have not setup an Authenticator App registration for their account yet.
Now what are the requirements to use the Registration Campaign within your environment:
- Your organization must have enabled Azure MFA; Nudge will not work for the initial MFA registration without the user being required for MFA. It will therefore trigger after the user has registered for MFA whereby the user did not use the Authenticator App.
- It only works if users have not yet set up the Microsoft Authenticator for push notifications on their account; If an Authenticator App registration is found for the user (even if it is inactive) the Nudge prompt will not appear.
- Admins need to enable users for Microsoft Authenticator using one of these policies:
- MFA Registration Policy – Users will need to be enabled for Notification through mobile app, if this option is disabled within the tenant the user will not get a nudge prompt.
- Authentication Methods Policy – Users will need to be enabled for the Microsoft Authenticator and the Authentication mode must be set to Any or Push. If the policy is set to Password less only, the user will not be eligible for the nudge.
Once all these requirements are in place, we can start implementing the feature!
Step 1: Run through the necessary configuration steps in Azure Active Directory
First, we will create two Security Groups, the ‘IdentityMan-Nudge-Users’ for the users who should be prompted with a Nudge to register the Authenticator App as a second factor.
The other group ‘IdentityMan-Nudge-Excluded-Users’ is there so, you as an administrator, can easily opt-out users so they will not be prompted with a Nudge to register the Authenticator App as a second factor.
NOTE: An exclude group can be helpful when you have included a group which is used for other purposes as well (like group-based licensing as example).
Now let’s enable the Registration campaign (Nudge function) within the Azure Active Directory by going to Security and hit the Authentication Methods blade. In here on the left select ‘Registration Campaign’ and hit ‘Edit’ next to settings on the right side of the screen.
IMPORTANT NOTE: In the above screen you can see that the ‘default state’ is called Microsoft Managed. This simply means that once Microsoft turns the feature on by default, your tenant will reflect these settings as well. More information about this ‘Microsoft Managed’ setting can be found here.
In here make sure to change the ‘State’ to Enabled, configure the ‘Snooze Duration’ to i.e. 7 days and select the exclusion group we created earlier at the ‘Excluded users and groups’ option.
NOTE: When you configure the ‘Days allowed to snooze’ to ‘0’ the user is prompted each time during sign in. I would recommend you keeping this value as low as possible, if you ‘Nudge’ your end users more for registering the authenticator app the result of registrations will increase.
Now we have determined that the setting is enabled, let’s make sure to configure for which users it’s enabled. Next to the Microsoft Authenticator method (which is currently the only option), include the group we created earlier which should have the ‘Nudge’ functionality enabled.
Once your configuration is ready, please hit ‘Save’ to apply the settings.
NOTE: It can take up to a minute or 10 before the policy becomes active, at that point your users are starting to receive the Nudge when they logon to the Azure Active Directory.
To make sure your users are eligible to receive this prompt, lets first check two settings. The first setting can be found on the ‘old’ Multi Factor Authentication settings page. On this page, make sure that under the ‘Verification options’ the checkbox for ‘Notification through mobile app’ is selected.
The second setting which needs to be checked is the ‘MicrosoftAuthenticator’ setting in Azure Active Directory. This can be found when going to the Azure-portal page, go to ‘Azure Active Directory’, click on ‘Security’ and hit ‘Authentication Methods’. Within this blade click on ‘Policies’ and select the ‘MicrosoftAuthenticator’ option.
In here make sure the setting Enable is set to ‘Yes’ and at least the test group we have created is included (but preferably select ‘All Users’). When the group is selected (or you’ve put the setting to ‘All Users’). Hit the ‘three dots’ and click ‘Configure’.
In here make sure the ‘Authentication Mode’ setting is set to ‘Any’ (meaning Push notifications, TOTP or Passwordless) or ‘Push’ (meaning Push notifications or TOTP), this as when the user is only eligible for ‘Passwordless’ the Nudge won’t appear.
Click on ‘Done’ when the authentication mode has been configured.
Verify the settings and hit ‘Save’ when done.
NOTE 1: If a user is targeted for both ‘Passwordless’ and ‘Push’ the Nudge prompt will still appear as the user is eligible for ‘Push’ notifications.
NOTE 2: If the above configuration is not correct the user will receive an error message about this which is shown below. If this is the case, please revise the Authentication Policies and walk through the above steps again.
Now add your user to the group which will enable the Nudge notification. With this last step the configuration in Azure Active Directory for Nudge has been finished!
Step 2: Test the user experience.
After a successful logon with multi-factor authentication the user will see the nudge below. This is what we have just enabled and is actually telling the end user, it’s great that you’ve used multi factor authentication via i.e. SMS or Voice call but there is a better more user friendly way to execute this multi factor authentication. When the user hits ‘Not now’ he or she is going to snooze the nudge, in my configuration example above I have used 7 days which implies it will take a week for the end user to be nudged again. If I hit ‘Next’ the enrollment of the Authenticator App will start.
At that point, the user is prompted with the normal experience to start the enrollment for the Authenticator App.
Once the user has walked through the whole wizard the Authenticator App is configured, but even better: it is immediately set as the default method for second factor authentications for the user!
Step 3: Monitor the user activity of enrollments as an administrator
Now to monitor the active enrollments of end users from an administrator point of view, go to the ‘Activity’ within the ‘Authentication Methods’ blade in Azure Active Directory.
In the ‘Activity monitoring’ we can see on the left side what your users have registered as an authentication method within the Azure Active Directory.
On the right side within the ‘Activity monitoring’ we can see what users have used the lately as a registration option within you Azure Active Directory.
You can even drill down into the logs, for a specific authentication method, which users have registered as new methods, an example for the app notifications is therefore shown below.
By turning on Nudge you as an administrator should therefore see an increase of the ‘App Notification’ method on both registration and registered methods. This gives you proof as an IT administrator that your Nudge setup for the authenticator app is successful, besides that you are one step closer to a safer environment whereby you could think of implementing the passwordless phone sign-in feature as a next step. More about this passwordless phone sign-in implementation can be found on my other blog post.
So don’t wait any longer, start using Nudge today to improve the security posture of your environment and to provide a more user friendly second factor logon experience for end users as well!
I again hope you enjoyed reading my blog about this new feature! Stay tuned for some more new great features of the authenticator app soon. This whereby I will explain more bits and bites about an improved Authenticator enrollment experience for your end users and how you can use the GPS Coordinates provided via the Authenticator App to either restrict or provide access for the end user.
Upcoming blogs in this series:
- Nudging your users to the Microsoft Authenticator App for MFA.
- Improving the Authenticator App enrollment experience for your end users.
- Using GPS Coordinates from the Authenticator app to approve or block access.
2 thoughts on “Nudging your users to the Microsoft Authenticator App for MFA with the Registration Campaign!”
If the Excluded users and groups is set to None and the Authentication methods has three staff members included, who will be nudged?
Only users who are allowed for the authenticator app push notifications and haven’t set it up will receive these messages. However please take into account that you have the ‘legacy’ MFA settings on the old portal as well and as mentioned on my blog. As that is a tenant setting everyone included in the registration campagin would be prompted as everyone is eligible for it. With the new public preview, you are able to migrate these legacy methods first to authentication methods so you got more granular control about who would receive those messages, in that case you would be able to include everyone, but it will only hit those uses who are eligible for the authenticator app as configured in the authentication methods settings.
Hope that helps :-).