SOLVED

Is it possible to prompt a user to authenticate through MS Authenticator when their risk increases?

%3CLINGO-SUB%20id%3D%22lingo-sub-2353298%22%20slang%3D%22en-US%22%3EIs%20it%20possible%20to%20prompt%20a%20user%20to%20authenticate%20through%20MS%20Authenticator%20when%20their%20risk%20increases%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2353298%22%20slang%3D%22en-US%22%3E%3CP%3EI%20am%20looking%20to%20prompt%20my%20users%20through%20the%20Microsoft%20Authenticator%20app%20when%20their%20user%20risk%20reaches%20high.%20I%20am%20using%20several%20third%20part%20security%20tools%20to%20calculate%20risk%20for%20each%20user%20and%20would%20really%20like%20to%20be%20able%20to%20prompt%20users%20through%20the%20MS%20Authenticator%20app%20using%20a%20push%20notification.%20Is%20this%20even%20possible%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-2353298%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAccess%20Management%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EAzure%20AD%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2354088%22%20slang%3D%22en-US%22%3ERe%3A%20Is%20it%20possible%20to%20prompt%20a%20user%20to%20authenticate%20through%20MS%20Authenticator%20when%20their%20risk%20increas%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2354088%22%20slang%3D%22en-US%22%3EHello%2C%20yes%20I%20believe%20so.%20But%20you%20would%20have%20to%20use%20AAD%20P2%20with%20AAD%20Identity%20Protection%20and%20also%20only%20make%20the%20Authenticator%20app%20available%20as%20the%20MFA%20option.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2354167%22%20slang%3D%22en-US%22%3ERe%3A%20Is%20it%20possible%20to%20prompt%20a%20user%20to%20authenticate%20through%20MS%20Authenticator%20when%20their%20risk%20increas%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2354167%22%20slang%3D%22en-US%22%3EHi%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F1053469%22%20target%3D%22_blank%22%3E%40joeldavideng%3C%2FA%3E%20%2C%3CBR%20%2F%3E%3CBR%20%2F%3EI'll%20follow%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F588790%22%20target%3D%22_blank%22%3E%40ChristianJBergstrom%3C%2FA%3E%20.%20Here%20is%20a%20link%20with%20all%20informations%20about%20Identity%20Protection.%3CBR%20%2F%3E%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fidentity-protection%2Foverview-identity-protection%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fidentity-protection%2Foverview-identity-protection%3C%2FA%3E%3CBR%20%2F%3E%3CBR%20%2F%3EBest%20regards%2C%3CBR%20%2F%3ESchnittlauch%3CBR%20%2F%3E%3CBR%20%2F%3E%22First%2C%20No%20system%20is%20safe.%20Second%2C%20Aim%20for%20the%20impossible.%20Third%20no%20Backup%2C%20no%20Mercy%22%20-%20Schnittlauch%3CBR%20%2F%3E%3CBR%20%2F%3EMy%20answer%20helped%20you%3F%20Don't%20forget%20to%20leave%20a%20like.%20Also%20mark%20the%20answer%20as%20solved%20when%20your%20problem%20is%20solved.%20%3A)%3C%2Fimg%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2354668%22%20slang%3D%22en-US%22%3ERe%3A%20Is%20it%20possible%20to%20prompt%20a%20user%20to%20authenticate%20through%20MS%20Authenticator%20on%20demand%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2354668%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F1045823%22%20target%3D%22_blank%22%3E%40Schnittlauch%3C%2FA%3E%26nbsp%3Band%26nbsp%3B%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F588790%22%20target%3D%22_blank%22%3E%40ChristianJBergstrom%3C%2FA%3E%3CSPAN%3E%26nbsp%3B%2C%20thanks%20for%20the%20replies.%20When%20I%20was%20reading%20through%20the%20docs%20for%20Identity%20Protection%2C%20I%20saw%20that%20you%20can%20configure%20User%20Risk%20policies%2C%20which%20ultimately%20lead%20to%20a%20Block%20or%20Allow%20(with%20password%20change)%20option%2C%20or%20you%20could%20configure%20Sign%20In%20Risk%20policies%2C%20which%20lead%20to%20Block%20or%20Allow%20(with%20MFA%20prompt).%20I%20am%20actually%20looking%20for%20a%20blend%20of%20the%20two%2C%20where%20users%20aren't%20necessarily%20signing%20into%20any%20new%20applications%2C%20but%20are%20exhibiting%20enough%20risk%20I%20would%20like%20them%20to%20confirm%20their%20identity%20in%20the%20Authenticator%20app.%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EI%20would%20like%20to%20refine%20my%20question%20to%2C%20Is%20is%20possible%20to%20prompt%20a%20user%20to%20authenticate%20through%20the%20MS%20Authenticator%20app%20on%20demand%3F%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2354779%22%20slang%3D%22en-US%22%3ERe%3A%20Is%20it%20possible%20to%20prompt%20a%20user%20to%20authenticate%20through%20MS%20Authenticator%20on%20demand%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2354779%22%20slang%3D%22en-US%22%3E%3CP%20data-unlink%3D%22true%22%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F1053469%22%20target%3D%22_blank%22%3E%40joeldavideng%3C%2FA%3E%26nbsp%3BHello%2C%20%3CSPAN%3Eif%20you%20have%20AAD%20P2%20with%20%3C%2FSPAN%3EIdentity%20Protection%2C%3CSPAN%3E%26nbsp%3Bsign-in%20risk%20and%20user-risk%20can%20be%20evaluated%20as%20part%20of%20a%20conditional%20access%20policy.%20If%20you%20then%20select%20%22require%20MFA%22%20and%20also%20have%20configured%20the%20authenticator%20app%20as%20the%20only%20MFA%20option%20it%20should%20be%20triggered.%3C%2FSPAN%3E%3C%2FP%3E%3CP%20data-unlink%3D%22true%22%3E%26nbsp%3B%3C%2FP%3E%3CP%20data-unlink%3D%22true%22%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fconditional-access%2Fconcept-conditional-access-conditions%23sign-in-risk%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EConditions%20in%20Conditional%20Access%20policy%20-%20Azure%20Active%20Directory%20%7C%20Microsoft%20Docs%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2356155%22%20slang%3D%22en-US%22%3ERe%3A%20Is%20it%20possible%20to%20prompt%20a%20user%20to%20authenticate%20through%20MS%20Authenticator%20on%20demand%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2356155%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F588790%22%20target%3D%22_blank%22%3E%40ChristianJBergstrom%3C%2FA%3E%2C%20I%20was%20able%20to%20set%20up%20a%20conditional%20access%20policy%20that%20only%20prompts%20a%20user%20for%20MFA%20if%20their%20risk%20is%20high%20when%20the%20user%20logs%20in%2C%20but%20I%20was%20not%20able%20to%20trigger%20an%20Authenticator%20prompt%20mid-session%20or%20if%20the%20user%20is%20not%20logged%20in%20at%20all.%20I%20believe%20I%20will%20need%20to%20pursue%20other%20options%20for%20triggering%20prompts%20based%20on%20actions%20other%20than%20logins%20given%20the%20limited%20number%20of%20actions%20conditional%20access%20policies%20support.%20Thanks%20for%20your%20help.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2356176%22%20slang%3D%22en-US%22%3ERe%3A%20Is%20it%20possible%20to%20prompt%20a%20user%20to%20authenticate%20through%20MS%20Authenticator%20on%20demand%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2356176%22%20slang%3D%22en-US%22%3ENot%20sure%20what%20you're%20after%20here%2C%20but%20there's%20massive%20risk%20calculations%20going%20on%20offline%20and%20real-time.%3CBR%20%2F%3E%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fidentity-protection%2Fconcept-identity-protection-risks%23risk-types-and-detection%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fidentity-protection%2Fconcept-identity-protection-risks%23risk-types-and-detection%3C%2FA%3E%3CBR%20%2F%3E%3CBR%20%2F%3EJust%20a%20brief%20heads-up%20how%20it%20works%20%3CA%20href%3D%22https%3A%2F%2Fblog.onevinn.com%2Fmcas-and-aad-identity-protection-threat-detection-and-automatic-response%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fblog.onevinn.com%2Fmcas-and-aad-identity-protection-threat-detection-and-automatic-response%3C%2FA%3E%3C%2FLINGO-BODY%3E
Occasional Contributor

I am looking to prompt my users through the Microsoft Authenticator app when their user risk reaches high. I am using several third part security tools to calculate risk for each user and would really like to be able to prompt users through the MS Authenticator app using a push notification. Is this even possible?

10 Replies
Hello, yes I believe so. But you would have to use AAD P2 with AAD Identity Protection and also only make the Authenticator app available as the MFA option.
Hi @joeldavideng ,

I'll follow @ChristianJBergstrom . Here is a link with all informations about Identity Protection.

https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/overview-identity-protec...

Best regards,
Schnittlauch

"First, No system is safe. Second, Aim for the impossible. Third no Backup, no Mercy" - Schnittlauch

My answer helped you? Don't forget to leave a like. Also mark the answer as solved when your problem is solved. :)

@Schnittlauch and  @ChristianJBergstrom , thanks for the replies. When I was reading through the docs for Identity Protection, I saw that you can configure User Risk policies, which ultimately lead to a Block or Allow (with password change) option, or you could configure Sign In Risk policies, which lead to Block or Allow (with MFA prompt). I am actually looking for a blend of the two, where users aren't necessarily signing into any new applications, but are exhibiting enough risk I would like them to confirm their identity in the Authenticator app. 

 

I would like to refine my question to, Is is possible to prompt a user to authenticate through the MS Authenticator app on demand?

@joeldavideng Hello, if you have AAD P2 with Identity Protection, sign-in risk and user-risk can be evaluated as part of a conditional access policy. If you then select "require MFA" and also have configured the authenticator app as the only MFA option it should be triggered.

 

Conditions in Conditional Access policy - Azure Active Directory | Microsoft Docs

@ChristianJBergstrom, I was able to set up a conditional access policy that only prompts a user for MFA if their risk is high when the user logs in, but I was not able to trigger an Authenticator prompt mid-session or if the user is not logged in at all. I believe I will need to pursue other options for triggering prompts based on actions other than logins given the limited number of actions conditional access policies support. Thanks for your help.

You are correct, there are a ton of things going on in background with Identity Protection already. What I'm going for is to unify external risk evaluation systems with Azure's risk system. So if my other tools determine a user is high risk, I'd like to be able to utilize Azure's notification system to just prompt the user to click yes or no in MS Authenticator. It sounded a lot like the Identity Protection feature was more open than it actually is for integrating third party tools.
best response confirmed by joeldavideng (Occasional Contributor)
Solution

@joeldavideng we manually increase the risk of a user when we discover a breach somewhere else.

That way, the user is prompted for a password change (forcing MFA is not possible ATM).

https://docs.microsoft.com/en-us/graph/api/riskyusers-confirmcompromised?view=graph-rest-beta&tabs=h...

Thanks for replying Thijs, just to be clear we should mention that you can do it with the "sign-in risk" and not "user-risk" at the moment, as also confirmed above.
Thanks Thijs. It sounds like you are implementing something very similar to what I was going for and ran into the same limitation. It's good to have clarity on what is actually possible.