More and more organizations are starting to enforce MFA during logins which in it self is very good, but attackers are also getting more and more resourceful and are now finding their way past MFA prompts. One way attackers are getting past the MFA prompts are by users getting complacent and are approving MFA prompts on their devices even though they are not actively truing to log in to something or somewhere. One way to combat this is by using number matching, application name and geographic location in the MFA prompts which is in the time of writing this is Preview.
This short guide will take you though how to enable these options, you might not want to enable all three, but I would highly recommend using as least one of these to supplement MFA prompts.
Start by logging into your Azure Portal then open Azure Active Directory and select Security
Select Authentication methods
Select Microsoft Authenticator
If Authenticator hasn’t already been enabled in the tenant you will have to do so by enabling it assign to to either a test users group or All Users. Open the context menu and set Authentication method to Any. Then click save, go back to to Authentication Methods and select Microsoft Authenticator again
You will not see the Configure menu and here you will have three options
- Require number matching for push notifications
- Show application name in push and passworldless notifications
- Show geographic location in push and passwordless notifications
To enable each one simply set it’s status to Enabled and set Target to either all users or a selected group. When you are done configuring the settings don’t forget to click Save
Now, how will this look like for your users. The screenshot below is from an iOS device where number matching, show application name (OfficeHome) and show geographic location has been enabled. The number the use will have to enter will be displayed on the application or site the user is trying to access. In this case the authentication windows for Jason is asking him to enter the number 88