Show Additional Context in Microsoft Authenticator Notifications

Microsoft Authenticator is Microsoft's official mobile application for MFA and passwordless authentication, commonly used as an authentication method in Entra ID.

Following an MFA or passwordless authentication request, the application sends a push notification that can display additional context, including the target application and the login attempt's location (inferred by Microsoft from the IP address). This helps users determine whether the prompt is legitimate or a malicious attack.

This Indicator of Exposure (IoE) checks the following settings:

• "Show application name in push and passwordless notifications"
• "Show geographic location in push and passwordless notifications"

The expected secure value for both settings is "Enabled." An intermediate value, "Microsoft managed" (default in Graph API), allows Microsoft to define the exact value based on the evolving security threat landscape. However, when this IoE was introduced in late 2024, Microsoft set these settings to "Disabled" and as a result, this IoE does not consider "Microsoft managed" as secure by default (though you can adjust this behavior via a parameter).

This feature is especially effective against MFA fatigue attacks, where attackers bombard victims with notifications until they finally approve one. The additional context increases user awareness and makes them more likely to recognize and reject malicious attempts.

Tenable recommends that you apply the "Enabled" status on these two settings in the Microsoft Authenticator authentication method:

• "Show application name in push and passwordless notifications"
• "Show geographic location in push and passwordless notifications"

Refer to the following Microsoft documentation for details on how these additional contexts are displayed and instructions to enable them using various methods: How to use additional context in Microsoft Authenticator notifications - Authentication methods policy.

As noted in the vulnerability description, we recommend against using the "Microsoft managed" status (default in Graph API), as it currently equates to "Disabled" (as of late 2024).

If needed, you can globally set these configurations to "Enabled" while specifying the "Target" group(s) using the "Include" and "Exclude" settings. Tenable recommends applying these settings to all users by using "Include" with the "All users" option.

Name: Show Additional Context in Microsoft Authenticator Notifications

Codename: SHOW-ADDITIONAL-CONTEXT-IN-MICROSOFT-AUTHENTICATOR-NOTIFICATIONS

Severity: Medium

Type: Microsoft Entra ID Indicator of Exposure