First the good news. Well maybe not good security wise but at least you still have time to Educate and enable before it will be enforced.
Number matching enforcement is still in the horizon Also SSPR and legacy MFA policies will be deprecated (phased).
Don’t act too late on either of them. If you need to educate users, you can use these excellent templates from Martin Coetzer’s team
Table of Contents
Enable Number matching
In Microsoft Authenticator, number matching represents a significant security improvement over conventional second factor alerts.
Starting on 8th of May 2023, Microsoft will eliminate the admin controls and require all users to use the number match experience tenant-wide.
You should turn on number matching as soon as possible for increased sign-in security. After 8th of Maybe 2023, relevant services will start implementing these modifications, and users will start to notice number matching in approval requests. Some users may receive number matches when services are deployed, while others may not.
Open authentication methods from https://entra.microsoft.com/#view/Microsoft_AAD_IAM/AuthenticationMethodsMenuBlade/~/AdminAuthMethods
My best guess is that status will be Microsoft Managed after Enforcement and you cannot select any targets. It will just enabled and enforced without any possibility for switching it off.
How it will look for the end-user?
When you enable number matching, you will be displayed the number inside Microsoft portal
And you have to enter it to your Authenticator
First time number match
With Teams
Notice that the number will be hidden behind the prompt, just press “I can’t see the number” and it will be briefly displayed.
With browser
And choose “Approve sign-in” from above to get the prompt
Why the enforcement?
Well one reason is MFA fatigue attacks.
Multi-factor authentication is excellent security feature, in the most simplified scenario you need your Username and Password + some form of proof that you are really doing the sign-in to a service.
But if you go where the fence is the lowest or implemented MFA ages ago and didn’t take care of the methods it’s uses after that. You could be facing the risks of MFA fatigue.
MFA fatigue means that after attacker will phish your credentials and once they do, they will sign-in to a service of their wishing and bombard you with endless swarm of MFA request until you accept the request.
Migrate MFA and SSPR policy settings to the Authentication methods
For now policy settings can be moved at your own pace, and the procedure is completely reversible. While you specifically specify authentication methods for users and groups in the Authentication methods policy, you can continue to employ tenant-wide MFA and SSPR policies. When you’re ready to manage all authentication methods collectively in the Authentication methods policy, you finish the migration.
Legacy MFA
See your existing MFA policies from https://account.activedirectory.windowsazure.com/usermanagement/mfasettings.aspx
See what policy compares to what
| Multifactor authentication policy | Authentication method policy |
|---|---|
| Call to phone | Voice calls |
| Text message to phone | SMS |
| Notification through mobile app | Microsoft Authenticator |
| Verification code from mobile app or hardware token | Third party software OATH tokens Hardware OATH tokens (not yet available) Microsoft Authenticator |
Self-service Password reset (SSPR)
Set Authentication methods from https://entra.microsoft.com/#view/Microsoft_AAD_IAM/PasswordResetMenuBlade/~/AuthenticationMethods
And what methods are compared to what
| SSPR authentication methods | Authentication method policy |
|---|---|
| Mobile app notification | Microsoft Authenticator |
| Mobile app code | Microsoft Authenticator Software OATH tokens |
| Email OTP | |
| Mobile phone | Voice calls SMS |
| Office phone | Voice calls |
| Security questions | Not yet available; copy questions for later use |
Enable Microsoft Authenticator for All users in the Authentication methods policy if Notification through Mobile App is enabled in the traditional MFA policy. To enable push notifications or passwordless authentication, set the authentication mode to Any.
Set Allow usage of Microsoft Authenticator OTP to Yes if Verification code from mobile app or hardware token is enabled in the traditional MFA policy.
Manage migration
The legacy rules for self-service password reset and multifactor authentication will be phased out in January 2024, and you’ll control all authentication methods here in the authentication methods policy.
Closure
As we discovered in this post, the dates to remember are 8th of May 2023 and January 2024. First for number matching and second for phased deprecation legacy MFA and SSPR features.
Be prepared for them and educate, educate, test and enable!
RSS - Posts