So, this is a good one! Mistakes such as approving a rogue MFA request is easily made and that is where location information and matching number comes to play. This makes it easier for us to identify a rogue MFA request (initiated by a bad actor).
❗ First things first… note that this feature is still in preview – so use it wisely in a lab environment.
Official MS documentation is found here: Use additional context in multifactor authentication (MFA) notifications (Preview) – Azure Active Directory | Microsoft Docs
Let’s rock enroll
Initially we only had one way to enable location info and matching numbers (Graph) but now we can do it directly from the Azure portal. We will cover both methods below.
Method 1 (use the Azure portal)
- Open: Azure portal
- Navigate to: Azure Active Directory -> Security -> Authentication Methods -> Microsoft Authenticator
- Click: Yes
- Target: Pick at least one user/group or use All users
- Now click the three dots and Configure
- Authentication mode: Any (this will allow the settings to be applied to both password-less and push authentications
- Require number matching (preview): Enabled
- Require Show additional context in notifications (preview): Enabled
- Click: Done
- Click: Save
Method 2 (use Graph Explorer)
- Head over to MS Graph Explorer: https://aka.ms/ge
- Click: Sign in to Graph Explorer (use an admin account)
- Now we need to switch the schema from v1.0 to beta
- Note how the URL changes from v1.0 to beta
- Paste this URL in the URL box
https://graph.microsoft.com/beta/policies/authenticationMethodsPolicy/authenticationMethodConfigurations/microsoftAuthenticator - Click: Run query
- If you get the “Forbidden – 403. You need to consent the permissions…” error, step 8 – otherwise skip to step 11
- Click: Modify permissions (Preview)
- The required permission(s) should be visible, have a look at them and click Consent
- Click: Run query again to make sure the error message is done and that we get a good response
- Copy the response and paste it into the request body and change both displayAppInformationRequiredState and numberMatchingRequiredState to enabled
- Now all we need to do is change from GET to PATCH and click Run query
That’s it! Two fairly easy methods to enable strong and very much needed features to our beloved Microsoft Authenticator app 😍