If you have been using the on-premises Azure MFA server (which by the way is going to be fully deprecated – https://azure.microsoft.com/en-us/updates/azure-multifactor-authentication-server-will-be-deprecated-30-september-2024/) you already know that end-users were able to report suspicious activities.
Well, this was a missing feature on Azure AD MFA which is now becoming available.
First you need to enable it (this is not enabled by default – probably because this is currently in preview).
To enable it, logon to you Azure AD portal (https://aad.portal.azure.com/) to access the Azure Active Directory\Security\Authentication methods\Settings blade or Entra portal (https://entra.microsoft.com/) to access the Protect & secure\Authentication methods\Settings blade
When enabling the report suspicious activities, you can select if this applies to all of your users or a specific group
Once enabled, you can get the report from:
- either the Identity Protection\Risk detections blade; it will appear as User Reported Suspicious Activity for the detection type, with risk level High and source End user reported
- or the Active Directory\Sign-in logs blade; it will appear as MFA denied with Fraud Code Entered
This feature works only with Authenticator prompt or phone call MFA request.
To report the suspicious activity the user has to use the No, it’s not me button on the Authenticator request