Forum Discussion

BrianG-PPN's avatar
BrianG-PPN
Brass Contributor
Oct 28, 2022
Solved

Authenticator Settings Target vs. Conditional Access

I recently saw that Microsoft has enabled some number matching functionality for Microsoft Authenticator to reduce the ability for users to be spammed into just accepting an MFA push notification tha...
Conditional Access
Multifactor Authentication
  • ChristianJBergstrom's avatar
    ChristianJBergstrom
    Oct 31, 2022

    You can use the authenticator policy for enabling passwordless possibility with Authenticator, while also having the granularity of the newly added settings in there. CA isn't involved. But those using the app and being included in your CA for MFA can now use passwordless when authenticating, if you choose that. People can use Authenticator without this feature as long as the MFA service settings are ticked (phone, software token etc.)

     

    Let me just add if you target all users they will be affected, but has nothing to do with CA. It's more about how users authenticate with the Authenticator app.

    You can also run a campaign for your org. https://learn.microsoft.com/en-us/azure/active-directory/authentication/how-to-mfa-registration-campaign

ChristianJBergstrom's avatar
ChristianJBergstrom
MVP
Oct 29, 2022
Think about the authentication methods policy for the Authenticator app as adding more granularity to those using the app and being scoped in there. It will not interfere with your conditional access policies.
  • BrianG-PPN's avatar
    BrianG-PPN
    Brass Contributor
    Oct 31, 2022
    So if my Conditional Access policy excludes a handful of accounts from requiring MFA and I then enable Microsoft Authenticator for a target of All users will the accounts which are excluded from MFA in my Conditional Access policy be impacted by the Authenticator settings thereby interering with my already determined requirements?
    • ChristianJBergstrom's avatar
      ChristianJBergstrom
      MVP
      Oct 31, 2022

      You can use the authenticator policy for enabling passwordless possibility with Authenticator, while also having the granularity of the newly added settings in there. CA isn't involved. But those using the app and being included in your CA for MFA can now use passwordless when authenticating, if you choose that. People can use Authenticator without this feature as long as the MFA service settings are ticked (phone, software token etc.)

       

      Let me just add if you target all users they will be affected, but has nothing to do with CA. It's more about how users authenticate with the Authenticator app.

      You can also run a campaign for your org. https://learn.microsoft.com/en-us/azure/active-directory/authentication/how-to-mfa-registration-campaign

      • BrianG-PPN's avatar
        BrianG-PPN
        Brass Contributor
        Nov 02, 2022
        Thanks for your additional comments.

        If I were to target all users with my Microsoft Authenticator settings to, for example, and set Authentication mode to "Any" on the first page then all users would be able to authenticate using Passwordless or Push authentication regardless of their Conditional Acces settings which may or may not require MFA.

        Further, if then also enabled require number matching for push notifications for all users on the Configure tab all the users who have MFA required based on the Conditional Access policies would then have to complete the number matching steps but this would be ignored for users who aren't required to use MFA.

        Have I understood that properly?

Resources