With all the new improvements to the Microsoft Authenticator App, this seems a good time to highlight a new capability in Azure AD: Registration Campain, also known as the nudge feature. Also, organizations should move away from phone transports for authentication. If your users use text (SMS) for second-factor authentication, they have very little context, and therefore might be confusing. On top of that, attackers use SIM jacking techniques to bypass those phone methods.
By far the most secure way to authenticate is passwordless authentication, so to step up from phone methods, Authenticator App would be a good step to strengthen your security posture.
Today we take a look at a new feature that will prompt your users to move towards Authenticator App. There are a few requirements to be aware of:
- Your organization must have enabled Azure MFA.
- User must not have already set up Microsoft Authenticator for push notifications on their account.
- Admins need to enable users for Microsoft Authenticator using one of these policies:
- MFA Registration Policy: Users will need to be enabled for Notification through mobile app.
- Authentication Methods Policy: Users will need to be enabled for the Microsoft Authenticator and the Authentication mode set to Any or Push. If the policy is set to Passwordless, the user will not be eligible for the nudge.
Enabling the Authenticator app is easy, and can be done in a few clicks. In the Azure portal, go to Azure Active Directory -> Security -> Authentication methods. Enable for all users, or pilot for selected users first.
Within the policy, you should have either configured ‘Any’ or ‘Push’.
So, with all the requirements in place, let’s see where we can configure the registration campaign. In the Azure portal, head over to Azure Active Directory -> Security -> Authentication methods. Here we will find the Registration Campaign blade.
Configuring this feature is pretty straightforward.
- To enable the feature, select Enabled.
- Select the days that the user can snooze. 0 (zero)days means that the user is prompted every day. The user can still skip the wizard, but is reminded on daily base.
- By default, the policy is enabled for all users, but you can exclude users or groups as well.
- Select either all users, or select a few test users first.
In this example, I have enabled it for my test user: Chandler Bing. Chandler has registered for Azure MFA using his mobile phone number.
Now, what does it look like for the end-user? Chandler signs in, like always, and is prompted to do Azure MFA. After this was successful, he is now prompted for the second time to enroll the Authenticator app.
Chandler can snooze this message by clicking “Not now”, or click Next to start the registration. Now this will just be the standard enrollments procedure that is used for MFA and SSPR registration. After finishing the wizard, the Authenticator App is now set as the default sign-in method.
Good to mention: the phone method is not deleted, and can still be used as a backup method.
Track the results
Events can be easily tracked by the reporting module in the Azure portal, or via the audit logs.
Wrap things up
As you can see, this new feature works pretty smoothly. A couple of things you should know:
- You can run the campaign for as long as you want. Just disable the feature to stop the campaign.
- If selected, guest users will also be prompted.
- The feature works with the Authenticator app only.
- A user who has set up Microsoft Authenticator app only for TOTP codes also will see the nudge.
- This feature can also be configured using the Graph API.