As you know, you can secure access to your resources using Azure AD MFA and the Microsoft Authenticator application.
Over the time, Azure AD MFA has been evolving to provide more features such as different authentication methods (like FIDO keys) or helping to start the password-less journey.
Well, there have been several new features being made available to increase security and awareness:
- Number matching MFA (in preview). This feature will help preventing accidental MFA approval as we all know most of the time end-users don’t really pay attention to why their are getting prompted for MFA.
- Additional context information for MFA prompt (in preview). This will provide information to end-users on why they are getting MFA prompt, including the location the sign-on is initiated. This will also help reducing accidental approval.
- GPS location based for Conditional Access is now generally available (see https://t.co/o1oVtlNK9v).
- MFA Registration campaign (now generally available) to help onboarding users to register for MFA (even if you could/should use .
To configure these features, connect to your Azure AD portal (https://aad.portal.azure.com/) and access the Azure Active Directory\Security\Authentication methods\Policies blade to edit the Microsoft Authenticator authentication method.
Additional context information
This feature is managed by Microsoft by default.
To enable it open the ellipsis available under the Target section and edit the Show additional context in notification configuration setting
This then will provide the user account being requested for MFA, the application which has initiated it as well as the location the prompt has been initiated.
If you enable just this option, end-users will still get the default MFA prompt. To get the detail, end-users will still have to click on the notification (not Approve or Deny) to the the contextual information.
It is recommended to enable the Number matching feature too (see below).
When enabling the number matching prompt, end-user will no longer be able to Approve or Deny MFA prompt. They will have to approve by selecting the number being displayed.
To enable it open the ellipsis available under the Target section and edit the Require number matching configuration setting
Once enabled end-user will then be prompted to enter the corresponding number displayed during the logon process.
When enabled with the Additional context information, the details are shown on top of the field to enter the number.