Don't allow the Microsoft Authenticator app to popup with approval button

%3CLINGO-SUB%20id%3D%22lingo-sub-3354726%22%20slang%3D%22en-US%22%3EDon't%20allow%20the%20Microsoft%20Authenticator%20app%20to%20popup%20with%20approval%20button%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3354726%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20have%20a%20tenant%20with%20MFA%20setup%20on%20all%20accounts%20and%20most%20people%20have%20used%20the%20Microsoft%20Authenticator%20app.%20Unfortunately%20someone%20was%20silly%20enough%20to%20press%20approve%20on%20their%20phone%20when%20they%20weren't%20getting%20prompted%20on%20their%20PC%2C%20and%20let%20a%20hacker%20in%20who%20knew%20their%20password.%20We're%20trying%20to%20educate%20them%20better%20but%20still%26nbsp%3BI'd%20like%20to%20remove%20the%20feature%20where%20the%20they%20get%20that%20popup%20in%20the%20MS%20Auth%20app%2C%20and%20make%20them%20have%20to%20get%20a%20code%20from%20the%20app%20only%20so%20they%20can't%20accidentally%20let%20a%20hacker%20in.%20Can%20I%20do%20this%20by%20powershell%20somehow%3F%20I%20have%2050%2B%20users%20in%20this%20tenant%20and%20other%20tenants%20I%20may%20want%20to%20change%20too%20so%20not%20viable%20to%20ask%20them%20all%20to%20setup%20their%20MFA%20again%20a%20different%20way.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ERunning%20powershell%20reports%20shows%20they%20all%20have%20two%20MFA%20methods%20of%20PhoneAppNotification%20and%26nbsp%3B%3C%2FP%3E%3CP%3EPhoneAppOTP%20and%20so%20I%20assume%20I%20just%20need%20to%20remove%26nbsp%3BPhoneAppNotification.%26nbsp%3B%3C%2FP%3E%3CP%3EI%20found%20a%20script%20in%20the%20below%20thread%20to%20switch%20the%20default%2C%20but%20I%20assume%20that%20means%20a%20hacker%20could%20still%20try%20the%20other%20method%20and%20make%20their%20app%20do%20a%20approval%20popup%2C%20I%20want%20it%20removed.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fazure-active-directory-identity%2Fpowershell-cmdlets-for-mfa-settings%2Fm-p%2F157678%2Fthread-id%2F132%22%20target%3D%22_blank%22%3Ehttps%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fazure-active-directory-identity%2Fpowershell-cmdlets-for-mfa-settings%2Fm-p%2F157678%2Fthread-id%2F132%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%24m1%3DNew-Object%20-TypeName%20Microsoft.Online.Administration.StrongAuthenticationMethod%3C%2FP%3E%3CP%3E%24m1.IsDefault%20%3D%20%24true%3C%2FP%3E%3CP%3E%24m1.MethodType%3D%22PhoneAppNotification%22%3C%2FP%3E%3CP%3E%24m2%3DNew-Object%20-TypeName%20Microsoft.Online.Administration.StrongAuthenticationMethod%3C%2FP%3E%3CP%3E%24m2.IsDefault%20%3D%20%24false%3C%2FP%3E%3CP%3E%24m2.MethodType%3D%22PhoneAppOTP%22%3C%2FP%3E%3CP%3E%24m%3D%40(%24m1%2C%24m2)%3C%2FP%3E%3CP%3Eset-msoluser%20-Userprincipalname%20%22UPN%22%20-StrongAuthenticationMethods%20%24m%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-3354726%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EMFA%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EMicrosoft%20Authenticator%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-3371587%22%20slang%3D%22en-US%22%3ERe%3A%20Don't%20allow%20the%20Microsoft%20Authenticator%20app%20to%20popup%20with%20approval%20button%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3371587%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F1386540%22%20target%3D%22_blank%22%3E%40thomasrw%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F1386540%22%20target%3D%22_blank%22%3E%40thomasrw%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20Easiest%20way%20to%20disable%20this%20for%20your%20users%20is%20to%20go%20to%20Per-User%20MFA%20and%20disable%20it%20for%20the%20tenant.%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Faccount.activedirectory.windowsazure.com%2FUserManagement%2FMfaSettings.aspx%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3Ehttps%3A%2F%2Faccount.activedirectory.windowsazure.com%2FUserManagement%2FMfaSettings.aspx%3C%2FA%3E%3C%2FP%3E%3CP%3EDisable%20Notifications%20through%20Mobile%20App.%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22dougsbaker_0-1652455168857.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F371488i758263CCD74091AD%2Fimage-size%2Fmedium%3Fv%3Dv2%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%22dougsbaker_0-1652455168857.png%22%20alt%3D%22dougsbaker_0-1652455168857.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3EThis%20will%20disable%20it%20for%20everyone.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHowever%2C%20there%20are%20other%20options%20for%20you%20if%20you%20still%20want%20to%20keep%20notifications%20but%20make%20them%20more%20secure.%26nbsp%3B%20Specifically%20Notifications%20Code%20Match.%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fauthentication%2Fhow-to-mfa-number-match%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EUse%20number%20matching%20in%20multifactor%20authentication%20(MFA)%20notifications%20(Preview)%20-%20Azure%20Active%20Directory%20%7C%20Microsoft%20Docs%3C%2FA%3E%3C%2FP%3E%3CP%3Eyou%20need%20to%20go%20to%20Azure%20AD%20to%20activate%20them%2C%20here%20is%20the%20link.%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fportal.azure.com%2F%23blade%2FMicrosoft_AAD_IAM%2FAuthenticationMethodsMenuBlade%2FAdminAuthMethods%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3EAuthentication%20methods%20-%20Microsoft%20Azure%3C%2FA%3E%3C%2FP%3E%3CDIV%20class%3D%22%22%3E%26nbsp%3B%3C%2FDIV%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
New Contributor

Hi, 

 

I have a tenant with MFA setup on all accounts and most people have used the Microsoft Authenticator app. Unfortunately someone was silly enough to press approve on their phone when they weren't getting prompted on their PC, and let a hacker in who knew their password. We're trying to educate them better but still I'd like to remove the feature where the they get that popup in the MS Auth app, and make them have to get a code from the app only so they can't accidentally let a hacker in. Can I do this by powershell somehow? I have 50+ users in this tenant and other tenants I may want to change too so not viable to ask them all to setup their MFA again a different way. 

 

Running powershell reports shows they all have two MFA methods of PhoneAppNotification and 

PhoneAppOTP and so I assume I just need to remove PhoneAppNotification. 

I found a script in the below thread to switch the default, but I assume that means a hacker could still try the other method and make their app do a approval popup, I want it removed. I also am not good enough with powershell scripts to edit this so it loops through all users.

 

 

https://techcommunity.microsoft.com/t5/azure-active-directory-identity/powershell-cmdlets-for-mfa-se...

 

$m1=New-Object -TypeName Microsoft.Online.Administration.StrongAuthenticationMethod

$m1.IsDefault = $true

$m1.MethodType="PhoneAppNotification"

$m2=New-Object -TypeName Microsoft.Online.Administration.StrongAuthenticationMethod

$m2.IsDefault = $false

$m2.MethodType="PhoneAppOTP"

$m=@($m1,$m2)

set-msoluser -Userprincipalname "UPN" -StrongAuthenticationMethods $m

 

 

Thanks

 

1 Reply

@thomasrw 

@thomasrw 

The Easiest way to disable this for your users is to go to Per-User MFA and disable it for the tenant.

https://account.activedirectory.windowsazure.com/UserManagement/MfaSettings.aspx

Disable Notifications through Mobile App. 

dougsbaker_0-1652455168857.png

This will disable it for everyone.

 

However, there are other options for you if you still want to keep notifications but make them more secure.  Specifically Notifications Code Match. Use number matching in multifactor authentication (MFA) notifications (Preview) - Azure Active Direc...

you need to go to Azure AD to activate them, here is the link.

Authentication methods - Microsoft Azure