Blog Post

Microsoft Entra Blog
2 MIN READ

New Microsoft Authenticator security features are now available!

Alex Simons (AZURE)'s avatar
Nov 18, 2021

Howdy folks,

 

Last year, we shared ‘It’s Time To Hang Up On Phone Transports for Authentication’. Today, we are making Microsoft Authenticator even more secure for our users and easier to rollout for our admins.

 

  1. Admins can now prevent accidental approvals in Microsoft Authenticator with number matching and additional context (Public Preview).
  2. Admins can now setup GPS-location based Conditional Access policies using Microsoft Authenticator (GA).
  3. Admins can now nudge their users to setup Microsoft Authenticator during sign-in using the Registration Campaign feature (GA).

 

We would love for you to try these security upgrades to Microsoft Authenticator and let us know your thoughts! For more details about these exciting features please read below:

 

Number matching in Microsoft Authenticator MFA experience (Public Preview)

To increase security and reduce accidental approvals, admins can require users to enter the number displayed on the sign-in screen when approving an MFA request in Authenticator.

 

Figure 1 - Number Matching

 

To learn how to enable number matching for your users, click here.

 

Additional context in Microsoft Authenticator approval requests (Public Preview)

Another way to reduce accidental approvals is to show users additional context in Authenticator notifications. This feature will show users which application they are signing into and their sign-in location based on IP address.

 

Figure 2 - Additional Context with number match in notifications

 

To learn how to enable additional context for your users, click here.

 

GPS-based Named Locations (Generally Available)

Admins can now use Conditional Access policies to restrict resource access to the boundaries of a specific country by using the GPS signal from the Microsoft Authenticator.

 

Users with this feature enabled will be prompted to share their GPS location via the Microsoft Authenticator app during sign-in. To ensure the integrity of the GPS location, Microsoft Authenticator will deny authentication if the device is jailbroken or rooted.

 

Figure 3 – Add a new Named Location using GPS coordinates

 

To learn more, check out admin documentation, Graph API documentation, and FAQ page.

 

Microsoft Authenticator Registration Campaign (Generally Available)

Using the Microsoft Authenticator Registration Campaign, you can now nudge your users to set up Authenticator and move away from less secure telephony methods. The feature targets users who are enabled for Microsoft Authenticator but have not set it up. Users are prompted to set up Authenticator after completing an MFA sign-in and after the set-up experience their default authentication method is changed to the Microsoft Authenticator app.

 

To learn how to enable a Registration Campaign for your users, click here.

 

enable Registration Campaign

 

We want to hear from you! Feel free to leave comments down below or reach out to us on aka.ms/AzureADFeedback.

Regards,

Alex Simons (@Alex_A_Simons)

Corporate VP of Program Management

Microsoft Identity Division

 

 

Learn more about Microsoft identity:

Updated Nov 23, 2021
Version 4.0