Azure AD – New security features are now available for Azure MFA

As you know, you can secure access to your resources using Azure AD MFA and the Microsoft Authenticator application.

Over the time, Azure AD MFA has been evolving to provide more features such as different authentication methods (like FIDO keys) or helping to start the password-less journey.

Well, there have been several new features being made available to increase security and awareness:

  • Number matching MFA (in preview). This feature will help preventing accidental MFA approval as we all know most of the time end-users don’t really pay attention to why their are getting prompted for MFA.
  • Additional context information for MFA prompt (in preview). This will provide information to end-users on why they are getting MFA prompt, including the location the sign-on is initiated. This will also help reducing accidental approval.
  • GPS  location based for Conditional Access is now generally available (see https://t.co/o1oVtlNK9v).
  • MFA Registration campaign (now generally available) to help onboarding users to register for MFA (even if you could/should use .

To configure these features, connect to your Azure AD portal (https://aad.portal.azure.com/) and access the Azure Active Directory\Security\Authentication methods\Policies blade to edit the Microsoft Authenticator authentication method.

image

Additional context information

This feature is managed by Microsoft by default.

To enable it open the ellipsis available under the Target section and edit the Show additional context in notification configuration setting

image  image

This then will provide the user account being requested for MFA, the application which has initiated it as well as the location the prompt has been initiated.

If you enable just this option, end-users will still get the default MFA prompt. To get the detail, end-users will still have to click on the notification (not Approve or Deny) to the the contextual information.

It is recommended to enable the Number matching feature too (see below).

image

Number matching

When enabling the number matching prompt, end-user will no longer be able to Approve or Deny MFA prompt. They will have to approve by selecting the number being displayed.

To enable it open the ellipsis available under the Target section and edit the Require number matching configuration setting

image

Once enabled end-user will then be prompted to enter the corresponding number displayed during the logon process.

image  image

When enabled with the Additional context information, the details are shown on top of the field to enter the number.

Leave a Comment

Your email address will not be published.