Forum Discussion
Is it possible to prompt a user to authenticate through MS Authenticator when their risk increases?
joeldavideng we manually increase the risk of a user when we discover a breach somewhere else.
That way, the user is prompted for a password change (forcing MFA is not possible ATM).
joeldavideng Hello, if you have AAD P2 with Identity Protection, sign-in risk and user-risk can be evaluated as part of a conditional access policy. If you then select "require MFA" and also have configured the authenticator app as the only MFA option it should be triggered.
Conditions in Conditional Access policy - Azure Active Directory | Microsoft Docs
ChristianJBergstrom, I was able to set up a conditional access policy that only prompts a user for MFA if their risk is high when the user logs in, but I was not able to trigger an Authenticator prompt mid-session or if the user is not logged in at all. I believe I will need to pursue other options for triggering prompts based on actions other than logins given the limited number of actions conditional access policies support. Thanks for your help.
- Not sure what you're after here, but there's massive risk calculations going on offline and real-time.
https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#risk-types-and-detection
Just a brief heads-up how it works https://blog.onevinn.com/mcas-and-aad-identity-protection-threat-detection-and-automatic-response- You are correct, there are a ton of things going on in background with Identity Protection already. What I'm going for is to unify external risk evaluation systems with Azure's risk system. So if my other tools determine a user is high risk, I'd like to be able to utilize Azure's notification system to just prompt the user to click yes or no in MS Authenticator. It sounded a lot like the Identity Protection feature was more open than it actually is for integrating third party tools.
joeldavideng we manually increase the risk of a user when we discover a breach somewhere else.
That way, the user is prompted for a password change (forcing MFA is not possible ATM).