Update 26-11-2021
As this feature is now in public preview, you can also manage those settings via the Azure portal now. You can find the new settings under Azure Active Directory -> Security -> Authentication methods -> Authenticator App.
By default, both settings are managed by Microsoft. You can either enable or disable the feature.
Learn more from the Microsoft docs:
Use number matching in multifactor authentication (MFA) notifications (Preview) – Azure Active Directory | Microsoft Docs
Use additional context in multifactor authentication (MFA) notifications (Preview) – Azure Active Directory | Microsoft Docs
Original article starts here
Today, a quick tip that I’d like to share with you. When scrolling through Twitter, this tweet caught my attention, and I asked Nathan if I could write this down for everybody to read. So, thanks Nathan for pointing this out. Good catch!
How to enable this
Now, to start off, this “feature” is not officially supported, so don’t use this in your production environment. When enabling this on your tenant, users will be prompted for Code Match with Azure MFA and Phone Sign-in using the Authenticator app. It can only be set using Graph API.
Go to https://aka.ms/ge, make sure you are signed in and have the right permissions to change tenant settings. If not done already, please consent the Policy.ReadWrite.AuthenticationMethod permissions.
Run the following query:
GET https://graph.microsoft.com/beta/policies/authenticationMethodsPolicy/authenticationMethodConfigurations/microsoftAuthenticator
Now grab the response, and copy that into the body. Your body might look like this:
{
"@odata.context": "https://graph.microsoft.com/beta/$metadata#authenticationMethodConfigurations/$entity",
"@odata.type": "#microsoft.graph.microsoftAuthenticatorAuthenticationMethodConfiguration",
"id": "MicrosoftAuthenticator",
"state": "enabled",
"includeTargets@odata.context": "https://graph.microsoft.com/beta/$metadata#policies/authenticationMethodsPolicy/authenticationMethodConfigurations('MicrosoftAuthenticator')/microsoft.graph.microsoftAuthenticatorAuthenticationMethodConfiguration/includeTargets",
"includeTargets": [
{
"targetType": "group",
"id": "all_users",
"isRegistrationRequired": false,
"authenticationMode": "any",
"outlookMobileAllowedState": "default",
"displayAppInformationRequiredState": "default",
"numberMatchingRequiredState": "default"
}
]
}
Change the value from numberMatchingRequiredStateand to enabled, and select PATCH to update the policy. This will enable Code Match for Azure MFA.
You can also change displayLocationInformationRequiredState to enabled as well, to enable Location and App information on the MFA and sign-in prompts.
That’s it for today. Cool right?
If not already done, you have ton consent the permission Policy.ReadWrite.AuthenticationMethod before running the GET query
Thanks, I will add that to the post.
Pingback: Use Registration campaign to promote Microsoft Authenticator App - JanBakker.tech
Pingback: Use Registration campaign to promote Microsoft Authenticator App - Tech Daily Chronicle