As you know, Azure AD allows you to request multi-factor authentication (MFA) using the Azure AD MFA and Microsoft Authenticator application.
Since its introduction Azure AD MFA has been continuously improved.
Latest improvement was to request a number matching during the MFA process to avoid accidental approval and fight against MFA fatigue (see https://t.co/89FilYohrQ).
Well, this number matching feature for MFA will be enabled for all users starting end of February 2023 (Feb 27).
If you don’t have yet enabled it you will need to communicate to your end-users.
This change is impacting:
- any MFA request
- SSPR and combined registration flows
- AD FS; you will need to ensure your ADFS servers
- Windows Server 2022 October 26, 2021—KB5006745
- Windows Server 2019 October 19, 2021—KB5006744
- Windows Server 2016 October 12, 2021—KB5006669
- NPS extension for MFA; starting with the version 1.2.2131.2 (as always ensure you are running the latest version available here https://www.microsoft.com/download/details.aspx?id=54688), users will be required to perform code matching. As the NPS extension can’t show the code to be matched, users will be asked to enter a One Time Password (OTP) using either the Microsoft Authenticator app, software/hardware token. If the user does not have an OTP method registered, it will continue to get the approve/deny experience. You can override it using the below registry key (use the exact string including the case):
- Registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AzureMfa
- Key type: String
- Key name: OVERRIDE_NUMBER_MATCHING_WITH_OTP
- Key value: TRUE
- Apple Watch; Apple Watch is unsupported for code matching, as such it is recommended to uninstall Microsoft Authenticator from Apple Watch