Information
Microsoft has released additional settings to enhance the configuration of the Microsoft Authenticator application. These settings provide additional information and context to users who receive MFA passwordless and push requests, such as geographic location the request came from, the requesting application and requiring a number match.
Ensure the following are Enabled.
Require number matching for push notifications
Show application name in push and passwordless notifications
Show geographic location in push and passwordless notifications
NOTE: On February 27, 2023 Microsoft started enforcing number matching tenant-wide for all users using Microsoft Authenticator.
Rationale:
As the use of strong authentication has become more widespread, attackers have started to exploit the tendency of users to experience 'MFA fatigue.' This occurs when users are repeatedly asked to provide additional forms of identification, leading them to eventually approve requests without fully verifying the source. To counteract this, number matching can be employed to ensure the security of the authentication process. With this method, users are prompted to confirm a number displayed on their original device and enter it into the device being used for MFA. Additionally, other information such as geolocation and application details are displayed to enhance the end user's awareness. Among these 3 options, number matching provides the strongest net security gain.
Impact:
Additional interaction will be required by end users using number matching as opposed to simply pressing 'Approve' for login attempts.
NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.
Solution
To remediate using the UI:
Navigate to the Microsoft Entra admin center https://entra.microsoft.com.
Click to expand Protection > Authentication methods select Policies.
Select Microsoft Authenticator
Under Enable and Target ensure the setting is set to Enable.
Select Configure
Set the following Microsoft Authenticator settings:
Require number matching for push notifications Status is set to Enabled, Target All users
Show application name in push and passwordless notifications is set to Enabled, Target All users
Show geographic location in push and passwordless notifications is set to Enabled, Target All users
Note: Valid groups such as break glass accounts can be excluded per organization policy.
Default Value:
Microsoft-managed