In the lineup of various Microsoft Entra ID security features, the next one in the row is MFA text message via WhatsApp (MC666628). Microsoft’s partnership with WhatsApp for Multifactor Authentication (MFA) is set to enhance security and provide a user-friendly solution. This means,
You’ll receive MFA text messages on WhatsApp, making it easier and more secure to verify your identity.
In this blog, we’ll dive into the exciting collaboration between Microsoft and WhatsApp, which is set to revolutionize MFA and also acknowledge some concerns raised by users associated with this partnership.
UPDATE! In response to a recent regulatory update in India, Meta has implemented restrictions on the use of over-the-top (OTT) apps like WhatsApp for business communication. Consequently, the ability to send authentication messages via WhatsApp to users in India has been blocked. Commencing from mid-February 2024, users in India who have been receiving OTP messages through WhatsApp will revert to receiving them via SMS, just as they did previously.
⚠ NOV 6, 2024 UPDATE!
Why Multi-factor Authentication (MFA) is Important?
Microsoft initially introduced MFA as an added layer of security for preventing common cyber-attacks and ransomware attacks. The recommended authentication method in Microsoft Entra ID (Azure AD) is to utilize secure authentication tools like Microsoft Authenticator. However, despite its effectiveness, there have been some drawbacks, such as the risk of MFA fatigue attacks.
To counter these vulnerabilities, Microsoft has implemented various security measures, including MFA number matching, remember MFA on trusted device, and the suppression of Authenticator notifications.
Setting these concerns aside, MFA remains a robust defense against suspicious sign-ins. MFA text message via WhatsApp are now an additional layer of security for multi-factor authentication.
Optimized Multifactor Authentication Text Message Delivery Through WhatsApp
Currently, Entra ID supports delivering one-time passcodes via text message. These messages are sent to the default messaging app on their Android or iOS. According to Microsoft, to facilitate streamlined digital security, delivering MFA text messages through WhatsApp is now possible!
Of Note: The WhatsApp sender agent displaying OTPs will feature Microsoft branding along with a verified checkmark as displayed below.
What is the Timeline for This?
The new Whatsapp MFA message verification rollout is planned to start by September 2023.
IMPORTANT: Initially, this new feature will be available only for Microsoft 365 enterprise customers in India, Indonesia, and New Zealand. For other countries, the rollout begins in October-November 2023.
Microsoft also added that,
The initial set of users will receive the update by mid-October, however further rollout is expected to take an extended period of time
How to Enable MFA Text Message Delivery Through WhatsApp?
Users must meet the following requirements to receive MFA text messages via WhatsApp.
- Enable SMS-based authentication
- Have WhatsApp installed on their phones
How to Enable SMS-based Authentication in Microsoft Entra ID?
First, let’s talk about the license requirement for SMS-based user sign-in. Each user must be licensed with one of the following licenses.
- Microsoft 365 F1 or F3.
- Azure Active Directory Premium P1 or P2.
- Enterprise Mobility + Security (EMS) E3 or E5 or Microsoft 365 E3 or E5.
- Office 365 F3
Now, to enable Multifactor authentication text messages in Azure portal, follow the steps given below.
Step 1: Sign into the Microsoft Entra admin center.
Step 3: Choose Protection from the left pane.
Step 4: Select Authentication methods > Policies > SMS.
Step 5: Turn on the “Enable” toggle and include Target users. Then, Save.
Before they can sign in, there is one more step that needs to be configured. That is, users will have to set a phone number themselves. Admins can also do this for their users by following the steps given below.
Microsoft Entra ID -> Users -> Select the user for whom you have enabled SMS settings -> Authentication methods -> Add authentication methods -> Phone number -> Add.
Microsoft’s New MFA: Easier Access or Privacy Risks?
However, it is a convenient way for users to receive MFA messages through WhatsApp, it also raises some privacy concerns.
For example, if a user’s WhatsApp account is hacked, the hacker could potentially see their MFA text messages and gain access to their work accounts. Additionally, WhatsApp is not end-to-end encrypted by default, so there is a risk that someone could intercept the MFA text messages in transit.
Therefore, as admins, you can disable text message as an authentication method in your tenant if you don’t want your users to receive MFA text messages to send OTPs through WhatsApp.
To disable SMS authentication:
- Go to Microsoft Entra ID -> Protection -> Authentication Methods -> Policies -> SMS.
- Under Enable and Target, turn off the Enable button, then select Save.
Closing Lines
Now, tell us,
“Are you ready to blur the lines between work and personal communication on WhatsApp?”
Thanks for reading! I hope this blog will help you with the concept of MS Entra ID (Azure AD) multifactor authentication message verification through WhatsApp. If you have any questions or need further clarification, please don’t hesitate to reach us through the comments section below.