Forum Discussion
Solved
Authenticator Settings Target vs. Conditional Access
I recently saw that Microsoft has enabled some number matching functionality for Microsoft Authenticator to reduce the ability for users to be spammed into just accepting an MFA push notification tha...
You can use the authenticator policy for enabling passwordless possibility with Authenticator, while also having the granularity of the newly added settings in there. CA isn't involved. But those using the app and being included in your CA for MFA can now use passwordless when authenticating, if you choose that. People can use Authenticator without this feature as long as the MFA service settings are ticked (phone, software token etc.)
Let me just add if you target all users they will be affected, but has nothing to do with CA. It's more about how users authenticate with the Authenticator app.
You can also run a campaign for your org. https://learn.microsoft.com/en-us/azure/active-directory/authentication/how-to-mfa-registration-campaign
Thanks for your additional comments.
If I were to target all users with my Microsoft Authenticator settings to, for example, and set Authentication mode to "Any" on the first page then all users would be able to authenticate using Passwordless or Push authentication regardless of their Conditional Acces settings which may or may not require MFA.
Further, if then also enabled require number matching for push notifications for all users on the Configure tab all the users who have MFA required based on the Conditional Access policies would then have to complete the number matching steps but this would be ignored for users who aren't required to use MFA.
Have I understood that properly?
If I were to target all users with my Microsoft Authenticator settings to, for example, and set Authentication mode to "Any" on the first page then all users would be able to authenticate using Passwordless or Push authentication regardless of their Conditional Acces settings which may or may not require MFA.
Further, if then also enabled require number matching for push notifications for all users on the Configure tab all the users who have MFA required based on the Conditional Access policies would then have to complete the number matching steps but this would be ignored for users who aren't required to use MFA.
Have I understood that properly?
Sounds right to me. As long as those users doesn’t add the Authenticator app in their security info settings as a method, and aren’t being prompted for MFA.