Forum Discussion

BrianG-PPN's avatar
BrianG-PPN
Brass Contributor
Oct 28, 2022

Authenticator Settings Target vs. Conditional Access

I recently saw that Microsoft has enabled some number matching functionality for Microsoft Authenticator to reduce the ability for users to be spammed into just accepting an MFA push notification that they didn't trigger. To enable this, however, we need to navigate to AAD>Security>Authentication methods>Policies>Microsoft Authenticator and then enable this option and move on to the Configure tab.

When enabling Authenticator from this section you're required to define the TARGET list of users:

 

We, however, have enabled MFA for the organization using Conditional Access policies and are enforcing and adding exceptions to that policy as necessary. If we're to trial and use this new feature, however, I need to enable this Microsoft Authenticator settings option and it's unclear how the target user selection set will interact with the Conditional Access policy.

 

Can anyone offer clarity on how these two sections would interact? Do I need to define the same criteria for user selection within the Authenticator settings that are defined within the Conditional Access policy? Or is there a simpler or more straightforward way to handle this?

  • You can use the authenticator policy for enabling passwordless possibility with Authenticator, while also having the granularity of the newly added settings in there. CA isn't involved. But those using the app and being included in your CA for MFA can now use passwordless when authenticating, if you choose that. People can use Authenticator without this feature as long as the MFA service settings are ticked (phone, software token etc.)

     

    Let me just add if you target all users they will be affected, but has nothing to do with CA. It's more about how users authenticate with the Authenticator app.

    You can also run a campaign for your org. https://learn.microsoft.com/en-us/azure/active-directory/authentication/how-to-mfa-registration-campaign

  • Think about the authentication methods policy for the Authenticator app as adding more granularity to those using the app and being scoped in there. It will not interfere with your conditional access policies.
    • BrianG-PPN's avatar
      BrianG-PPN
      Brass Contributor
      So if my Conditional Access policy excludes a handful of accounts from requiring MFA and I then enable Microsoft Authenticator for a target of All users will the accounts which are excluded from MFA in my Conditional Access policy be impacted by the Authenticator settings thereby interering with my already determined requirements?
      • You can use the authenticator policy for enabling passwordless possibility with Authenticator, while also having the granularity of the newly added settings in there. CA isn't involved. But those using the app and being included in your CA for MFA can now use passwordless when authenticating, if you choose that. People can use Authenticator without this feature as long as the MFA service settings are ticked (phone, software token etc.)

         

        Let me just add if you target all users they will be affected, but has nothing to do with CA. It's more about how users authenticate with the Authenticator app.

        You can also run a campaign for your org. https://learn.microsoft.com/en-us/azure/active-directory/authentication/how-to-mfa-registration-campaign

Resources