Manage Multi-Factor Authentication Strengths in Microsoft 365

Recent months have seen MFA fatigue attacks in multiple large enterprises like Uber, Microsoft, and Cisco. All these attacks involved social engineering and theft of employee credentials to gain access to internal VPNs and privileged user accounts in the organization. Taking these incidents into account, Microsoft announced several MFA authentication methods to safeguard the organization way back in November 2021 

“New MFA Enhancement Alert!” 

Finally, the wait is over. Advanced Microsoft Authenticator security features are now generally available. It is expected that number matching and additional context features will be implemented for all Authenticator users by the end of February 2023. Now, let’s explore the advanced MFA settings that are available in Azure AD.  

 

Why do we need Advanced MFA settings enabled? 

Today, every organization enables basic multi-factor authentication and believes they are protected. No, that’s not what’s happening. It has become apparent from the recent MFA fatigue attacks that SMS, phone calls, and tap approvals are not remarkably effective as a security measure. 

In times of breach, the attacker will repeatedly push out MFA notifications to convince the user to accept the MFA prompt. At some point, victims become so distraught that they accidentally click on the ‘Approve’ button or simply accept the MFA request. This will stop the deluge of notifications they have been receiving. To prevent such accidental approvals, Microsoft came up with advanced MFA push techniques to tackle threat vectors.

Advanced MFA Settings in Azure AD that you must know: 

1. Number Matching with Microsoft Authenticator 

Number matching prevents accidental approval by requiring the user to type in a two-digit code from the login screen to their authenticator app. With the Authentication app, admins can require users to enter the number displayed on the sign-in screen when approving an MFA request. 

Steps to Enable Number Matching in Azure AD: 

  • Log into the Microsoft Azure portal. 
  • Navigate to Azure Active Directory –> Security –> Authentication Methods 
  • Select Microsoft Authenticator Method. 
  • Under the Basics tab, select Yes to enable MFA. 
  • Specify all users or certain users based on requirements under Target tab. 
  • Then, set the authentication mode to Any/Push. 
  • Switch to Configure Tab. 
  • Set the Enabled status to allow number matching. 
  • Save it after choosing whom to include or exclude from number matching. 

Number Matching in MFA

 

2. Geographic Location with MFA Push Notifications 

Other than number matching, showing users additional content like MFA location in authenticator notifications will also reduce accidental approvals. By looking at the user’s IP address, this feature will reveal which application they are signing into and where they are signing in from.  

Steps to Enable Geographic Location in Azure AD  

  • Log into the Microsoft Azure portal. 
  • Navigate to Azure AD Directory –> Security –> Authentication Methods. 
  • Select Microsoft Authenticator Method. 
  • Under the Basics tab, select Yes to enable MFA. 
  • Specify all users or certain users based on requirements under Target tab.  
  • Then, set the authentication mode to Any. 
  • Switch to Configure Tab. 
  • Set the Enabled status to show geographic location in the push and passwordless notifications. 
  • Save it. 

 Geographic Location with MFA Push Notifications

 

3. Phishing Resistant MFA  

Authentication strengths are an additional control in conditional access policies. This newly released access control, which is still in preview, can be used to get over weak authentication methods (SMS, phone calls) and to limit external access to sensitive applications. A conditional access authentication strength allows admins to specify which combination of authentication methods can be used to access a resource.  

For example, the in-built Phishing-resistant MFA strength allows the following combinations. 

  • Windows Hello for Business (or) 
  • FIDO2 security key (or) 
  • Azure AD Certificate–Based Authentication (Multi-factor) 

To specify an authentication strength, admins must create a conditional access policy enabling ‘Require authentication strength’. 

Default Phishing Resistant MFA

 

At times, admins may require different authentication methods for different circumstances.  Apart from the built-in authentication strengths, admins can create up to 15 of their own custom authentication strengths to meet their requirements.  

Steps to Create Custom Multi-Factor Authentication Strength   

  • Log into the Microsoft Azure portal. 
  • Navigate to Azure AD –> Security –> Authentication Methods –> Authentication strengths. 
  • Select New authentication strength. 
  • Name your policy and give a description. 
  • Choose the necessary combination of multifactor authentication. 
  • After reviewing, save it. 

 

Custom Authentication Strength

 

How to Check Which Users Have Registered for MFA? 

In an organization, it is imperative to ensure that all users comply with current MFA standards. Microsoft has come up with the following significant reports where you can manage MFA registration and ensure 100% compliance across your organization. You can also use these reports to troubleshoot MFA issues.   

1. Get MFA Authentication Methods Activity Reports 

Navigate to Azure Portal –> Azure AD –> Security –> Authentication Methods –> Activity 

This new report helps you understand the adoption of Multi-Factor Authentication (MFA), password authentication, and Self-Service Password Reset (SSPR) in the organization.  

Registration – This tab shows how many users have registered for each authentication method. By clicking on a specific authentication method, you can see which users have registered for that method.   

Usage – This usage report provides an overview of the authentication methods used to sign in and number of password resets. Under the usage tab, graphs on the following authentication information will be obtained.  

  • Sign-ins by authentication requirement 
  • Sign-ins by authentication method 
  • Number of password changes and resets 
  • Password resets by authentication method 

Note – An Azure AD Premium P1 or P2 license is required to access usage and insights. 

Authentication Method Activity Usage

 

2. Get MFA User Registration Details Report 

Navigate to Azure Portal –> Azure AD –> Security –> Authentication Methods –> User Registration Details

You can use the user registration details report to view the users capable of Multi-Factor Authentication (MFA), password authentication, and Self-Service Password Reset (SSPR) authentication in your organization. Further, you can check who has registered those authentication methods. Apart from overall registration numbers, this report provides info on registration success and failures by the authentication methods. Admins can use this report to determine which method is used the most between SSPR and MFA in their organization.

User Registration Details 

 

3. Get MFA Registration and Reset Event Reports 

Navigate to Azure Portal –> Azure AD –> Security –> Authentication Methods –> Registration and Reset events 

 Here, admins can fetch the details of MFA registration and reset events up to the last 30 days along with the method used, status, activity type, and time.  It is a well-common fact that when a user is compromised, an attacker may register their own MFA to access the account. In times of hack, registration and reset events will be a great spot to examine if the new registration events have occurred recently.

Registration and Reset Events

Though MFA is a real concern, there are several ways to protect against it as well.  In the context of Microsoft 365, MFA is a major part to prevent attackers from breaking into tenant accounts and compromising user data. Like advanced MFA settings, new conditional access authentication context in CA policies is also introduced to granularize control over the organization’s sensitive information. It’s believed that MFA settings in Azure AD will continue to evolve at an even greater pace, with Microsoft Entra. 

“Deploy MFA and stay harder to break through!”