Enable Location Information and Code Match for Azure MFA

Update 26-11-2021

As this feature is now in public preview, you can also manage those settings via the Azure portal now. You can find the new settings under Azure Active Directory -> Security -> Authentication methods -> Authenticator App.

By default, both settings are managed by Microsoft. You can either enable or disable the feature.


Learn more from the Microsoft docs:

Use number matching in multifactor authentication (MFA) notifications (Preview) – Azure Active Directory | Microsoft Docs
Use additional context in multifactor authentication (MFA) notifications (Preview) – Azure Active Directory | Microsoft Docs

Original article starts here

Today, a quick tip that I’d like to share with you. When scrolling through Twitter, this tweet caught my attention, and I asked Nathan if I could write this down for everybody to read. So, thanks Nathan for pointing this out. Good catch!

How to enable this

Now, to start off, this “feature” is not officially supported, so don’t use this in your production environment. When enabling this on your tenant, users will be prompted for Code Match with Azure MFA and Phone Sign-in using the Authenticator app. It can only be set using Graph API.

Go to https://aka.ms/ge, make sure you are signed in and have the right permissions to change tenant settings. If not done already, please consent the Policy.ReadWrite.AuthenticationMethod permissions.

Run the following query:

GET https://graph.microsoft.com/beta/policies/authenticationMethodsPolicy/authenticationMethodConfigurations/microsoftAuthenticator

Now grab the response, and copy that into the body. Your body might look like this:

{
    "@odata.context": "https://graph.microsoft.com/beta/$metadata#authenticationMethodConfigurations/$entity",
    "@odata.type": "#microsoft.graph.microsoftAuthenticatorAuthenticationMethodConfiguration",
    "id": "MicrosoftAuthenticator",
    "state": "enabled",
    "includeTargets@odata.context": "https://graph.microsoft.com/beta/$metadata#policies/authenticationMethodsPolicy/authenticationMethodConfigurations('MicrosoftAuthenticator')/microsoft.graph.microsoftAuthenticatorAuthenticationMethodConfiguration/includeTargets",
    "includeTargets": [
        {
            "targetType": "group",
            "id": "all_users",
            "isRegistrationRequired": false,
            "authenticationMode": "any",
            "outlookMobileAllowedState": "default",
            "displayAppInformationRequiredState": "default",
            "numberMatchingRequiredState": "default"
        }
    ]
}

Change the value from numberMatchingRequiredStateand to enabled, and select PATCH to update the policy. This will enable Code Match for Azure MFA.

You can also change displayLocationInformationRequiredState to enabled as well, to enable Location and App information on the MFA and sign-in prompts.

displayLocationInformationRequiredState enabled
numberMatchingRequiredState enabled

That’s it for today. Cool right?

4 thoughts on “Enable Location Information and Code Match for Azure MFA”

  1. Pingback: Use Registration campaign to promote Microsoft Authenticator App - JanBakker.tech

  2. Pingback: Use Registration campaign to promote Microsoft Authenticator App - Tech Daily Chronicle

Leave a Reply

Your email address will not be published. Required fields are marked *