If you have a look at the App Store (e.g. Apple) you see the following sentence:
Just approve the notification sent to the Microsoft Authenticator after entering your username, and provide your passcode or TouchID.
So the App is capable of asking me for a PIN or Touch ID, but...
Can someone tell me if and maybe how I can configure Azure MFA settings in a way that the App is forced to ask me an additional PIN? I can just open the app and press confirm but I would like that the users are asked for a PIN to confirm the login
So you want a PIN on top of the actual mobile phone PIN? That would be incredibly frustrating for the user who has to unlock their phone and then unlock the app to then give access to a service. I think you've misread the line in the app description. One you've authenticated to the phone you can then approve requests.
yes....but. We have some discussion at the moment, because we are dealing with very confidential data: What if access to the system is done with the same mobile device on which also the Authenticator App is running. And let's assume that this device is comprimised. Saved password in browser + authenticator app which is open.
That's the current discussion. I totally agree with you regarding usability. But I would like to know if an additional PIN or TouchID could be enforced, following the description in the AppStore.