Forum Discussion

thomasrw's avatar
thomasrw
Copper Contributor
May 11, 2022

Don't allow the Microsoft Authenticator app to popup with approval button

Hi, 

 

I have a tenant with MFA setup on all accounts and most people have used the Microsoft Authenticator app. Unfortunately someone was silly enough to press approve on their phone when they weren't getting prompted on their PC, and let a hacker in who knew their password. We're trying to educate them better but still I'd like to remove the feature where the they get that popup in the MS Auth app, and make them have to get a code from the app only so they can't accidentally let a hacker in. Can I do this by powershell somehow? I have 50+ users in this tenant and other tenants I may want to change too so not viable to ask them all to setup their MFA again a different way. 

 

Running powershell reports shows they all have two MFA methods of PhoneAppNotification and 

PhoneAppOTP and so I assume I just need to remove PhoneAppNotification. 

I found a script in the below thread to switch the default, but I assume that means a hacker could still try the other method and make their app do a approval popup, I want it removed. I also am not good enough with powershell scripts to edit this so it loops through all users.

 

 

https://techcommunity.microsoft.com/t5/azure-active-directory-identity/powershell-cmdlets-for-mfa-settings/m-p/157678/thread-id/132

 

$m1=New-Object -TypeName Microsoft.Online.Administration.StrongAuthenticationMethod

$m1.IsDefault = $true

$m1.MethodType="PhoneAppNotification"

$m2=New-Object -TypeName Microsoft.Online.Administration.StrongAuthenticationMethod

$m2.IsDefault = $false

$m2.MethodType="PhoneAppOTP"

$m=@($m1,$m2)

set-msoluser -Userprincipalname "UPN" -StrongAuthenticationMethods $m

 

 

Thanks

 

Resources