Anyone serious about tightening the MFA posture of your Microsoft 365 tenant should take a look at the new security features which are generally available for all. In this article, we will go through the features in detail and how to deploy them.
We all live in a digital world where most of the applications and services force you to complete an MFA challenge and we have gotten so used to approving it without thinking, popularly known as MFA fatigue. And there has been an increase in these type of fatigue attacks, where the end user approves the authentication requests blindly (it kind of becomes muscle memory)!
Microsoft has rolled out a good set of security features to compact this and to provide the end user more context on the location of the user who is trying to approve (which should sound alarm bells if the authentication is triggering from US & you are in London) and forcing the user to input a number shown on the authenticator app in the screen. I have come across this number matching in MFA in other applications and it is about time that Microsoft has decided to roll it out.
The current MFA push notification on the mobile phone is simple – you either approve or deny.
Once the new security features have been rolled out, it gives you three more pieces of information on the authenticator app. First is forcing the user to enter the number shown in the authenticator app into the application you are trying to login to (Outlook on the Web for example).
Second is that it shows the user the location from which the MFA trigger is coming – the actual location of the user who is trying to authenticate – it could be you (legitimate trigger) or someone else.
Third is that it will display the application that you are trying to connect to, say Exchange Online for example.
How To Deploy These Security Features?
Let’s take a look at how to deploy these features within your tenant. Login to Azure Active Directory and navigate to the Security tab.
Within Security, click on Authentication Methods tab.
Navigate to Authentication Methods -> Policies. Click on ‘Microsoft Authenticator’ in the middle pane. The policies that we configure can be applied to both push and password less approval modes.
On the ‘Basics’ tab, enable Microsoft Authenticator if it is not already set. You can set the target to ‘All Users’ or select a set of users or groups. Set the authentication mode, ‘push’ in my case.
There are three options to enable in the ‘Configue’ tab. Set the status of ‘Require number matching for push notifications’ to ‘Enabled’. It was set to Microsoft Managed in my tenant, which means that the policy will be enabled at a date set by Microsoft. It is best that the admins have control of this. You can also apply it to all users or a single group. Deploying it to a pilot group will be a good idea to get a look and feel before you roll it out organization wide. You can also exclude a group.
Set the same options for ‘Show application name in push and passwordless notifications’ and ‘show geographic location in push and passwordless notifications’ – status to enabled and the right target audience.
Save the config and wait for Azure to catch up with the policy changes. The MFA trigger on the phone should show the new options within 10 minutes (in my case). In any case, it shouldn’t take too long. Below is the MFA trigger with the new features.
What if you are already using CA policies for MFA?
Nothing, it is not going to interfere with the CA policy you have. These security features will only add the extra information (the number, location and application name) to the MFA prompt so that the end user can make an informed decision.
Your CA policy will continue to trigger MFA for the users in scope & the features you have configured will be shown to the end user.
If you are worried about the behaviour, select your own account in all the options for the target above, keep your CA policies as it is & test. All other users will continue to have MFA the old way and you alone will have the new features.
This configuration is a must in my opinion – it gives the user something to do (input the number from the authenticator app) and also much more info on where the connection is triggered & to which application. Microsoft has stated that the number matching feature will be enabled for all tenants by Feb 2023 & hence the option ‘Microsoft managed’. You do have the option to disable the features, but why would you? And how long before Microsoft will forcefully enable it for all as it improves the security posture?
Will you be enabling the feature at least for a pilot group? Do let me know in the comments.