Forum Discussion

Brass Contributor

Oct 28, 2022

Solved

Authenticator Settings Target vs. Conditional Access

I recently saw that Microsoft has enabled some number matching functionality for Microsoft Authenticator to reduce the ability for users to be spammed into just accepting an MFA push notification tha...

Conditional Access

Multifactor Authentication

ChristianJBergstrom
Oct 31, 2022
You can use the authenticator policy for enabling passwordless possibility with Authenticator, while also having the granularity of the newly added settings in there. CA isn't involved. But those using the app and being included in your CA for MFA can now use passwordless when authenticating, if you choose that. People can use Authenticator without this feature as long as the MFA service settings are ticked (phone, software token etc.)

Let me just add if you target all users they will be affected, but has nothing to do with CA. It's more about how users authenticate with the Authenticator app.

You can also run a campaign for your org. https://learn.microsoft.com/en-us/azure/active-directory/authentication/how-to-mfa-registration-campaign

ChristianJBergstrom

MVP

Oct 29, 2022

Think about the authentication methods policy for the Authenticator app as adding more granularity to those using the app and being scoped in there. It will not interfere with your conditional access policies.

BrianG-PPN

Brass Contributor

Oct 31, 2022

So if my Conditional Access policy excludes a handful of accounts from requiring MFA and I then enable Microsoft Authenticator for a target of All users will the accounts which are excluded from MFA in my Conditional Access policy be impacted by the Authenticator settings thereby interering with my already determined requirements?

ChristianJBergstrom
MVP
Oct 31, 2022
You can use the authenticator policy for enabling passwordless possibility with Authenticator, while also having the granularity of the newly added settings in there. CA isn't involved. But those using the app and being included in your CA for MFA can now use passwordless when authenticating, if you choose that. People can use Authenticator without this feature as long as the MFA service settings are ticked (phone, software token etc.)

Let me just add if you target all users they will be affected, but has nothing to do with CA. It's more about how users authenticate with the Authenticator app.

You can also run a campaign for your org. https://learn.microsoft.com/en-us/azure/active-directory/authentication/how-to-mfa-registration-campaign
- BrianG-PPN
  Brass Contributor
  Nov 02, 2022
  Thanks for your additional comments.
  
  If I were to target all users with my Microsoft Authenticator settings to, for example, and set Authentication mode to "Any" on the first page then all users would be able to authenticate using Passwordless or Push authentication regardless of their Conditional Acces settings which may or may not require MFA.
  
  Further, if then also enabled require number matching for push notifications for all users on the Configure tab all the users who have MFA required based on the Conditional Access policies would then have to complete the number matching steps but this would be ignored for users who aren't required to use MFA.
  
  Have I understood that properly?
  - ChristianJBergstrom
    MVP
    Nov 02, 2022
    Sounds right to me. As long as those users doesn’t add the Authenticator app in their security info settings as a method, and aren’t being prompted for MFA.