cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Upcoming changes to managing MFA methods for hybrid customers
By
Alex Simons (AZURE)
Published Jan 28 2021 09:00 AM 17.1K Views
Alex Simons (AZURE)
Microsoft
‎Jan 28 2021 09:00 AM

Upcoming changes to managing MFA methods for hybrid customers

‎Jan 28 2021 09:00 AM

Howdy folks!

 

In November, I shared that we’re simplifying the MFA management experience to manage all authentication methods directly in Azure AD. This change has been successfully rolled out to cloud-only customers. To make this transition smooth for hybrid customers, starting February 1, 2021, we will be updating the authentication numbers of synced users to accurately reflect the phone numbers used for MFA.

 

Daniel Wood, a Program Manager on the Identity Security team will share the details of this change for hybrid customers. As always, please share your feedback in the comments below or reach out to the team with any questions.

 

Best regards,

Alex Simons (Twitter: Alex_A_Simons)

Corporate Vice President of Program Management

Microsoft Identity Division

 

 

---------------------------------------------------------

 

 

Hi everyone,

 

It’s never been more important to enforce MFA. As part of our efforts to make hybrid MFA deployments simpler and more secure, we’ll be updating empty authentication numbers with users’ public phone numbers if those numbers are being used for MFA. This change doesn’t affect the end user experience, but here’s what you’ll see as an admin after February 1:

 

Changes to user records

Starting February 1, 2021, for synced users who are using public profile numbers for MFA, Microsoft will copy the public number to users’ corresponding authentication number. Once the authentication number is populated, the MFA service will call that authentication number, instead of the public number. Microsoft will copy subsequent changes to the public number over to the authentication number until May 1, 2021 (except deletions of the public number).

 

Managing users’ authentication numbers

Going forward, you can manage your users’ authentication numbers directly in Azure AD using:

 

1. The user authentication methods UX

bh1.png

 

2. Microsoft Graph authentication methods APIs

bh2 (3).png

 

 

3. Microsoft.Graph.Identity.Signins PowerShell module

bh3 (2).png

 

 

4. End users can update their authentication numbers in the security info tab of MyAccount.

bh4.png

 

 

We hope these changes will significantly simplify how users and admins manage their authentication methods while enhancing security. Please let us know your thoughts by leaving a comment below.

 

Best,

Daniel Wood (Twitter: Daniel_E_Wood)

Program Manager,

Microsoft Identity Division

 

10 Comments
Jan Ketil Skanke
MVP
‎Jan 28 2021 10:11 AM
‎Jan 28 2021 10:11 AM

How does this affect customers that has explicitly used other numbers for MFA? Have customers where we have used scripts to populate thousands of users with primarily mobile numbers from user profiles, but also in some cases other fields have been used. Is there an opt-out opportunity for this copy task? The scripts are already using the new APIs. 

0 Likes
Like
danielwood95
Microsoft
‎Jan 28 2021 03:39 PM
‎Jan 28 2021 03:39 PM

Hi Jan, thanks for the good question! In the previous blog we explained how users have two distinct sets of phone numbers: 

  • Public numbers, which are managed in the user profile and currently only used for MFA if the method is configured for MFA but the corresponding authentication number is empty.
  • Authentication numbers, which are used for MFA, managed in Azure AD  and always kept private.

As part of this change starting Feb 1, Microsoft will copy synced users' public numbers over to their corresponding authentication numbers only if the public number is currently used for MFA and the corresponding authentication number is empty. That way, all users will continue performing MFA with the same number, but if the user happened to be calling their public number, they would now be calling their authentication number, which is more secure. 

 

Additionally, in order to give customers a few months to transition to managing authentication methods directly in Azure AD, we will keep public and authentication numbers that are used for MFA in sync until May 1. Subsequent updates to a public number will be copied to the corresponding authentication number as follows: 

  1. For synced users, if the public number and corresponding authentication number are the same, also update the authentication number. 
  2. For synced users, if the public number and corresponding authentication number are different, do not update the authentication number (because the authentication number is already out of sync and being used for MFA).
  3. For synced users, if the public number is deleted, do not delete the corresponding authentication number. Admins should delete authentication numbers directly if necessary. 

Admins cannot opt out of this copy task. Hope this helps answer your question!

apnet1205
Copper Contributor
‎Jan 29 2021 01:02 AM
‎Jan 29 2021 01:02 AM

Hi,

Any news on being able to manage/upload/activate OATH OTP tokens via the API?

thanks,

0 Likes
Like
danielwood95
Microsoft
‎Jan 29 2021 08:13 AM
‎Jan 29 2021 08:13 AM

We don't have any news to there, but the team is working to eventually to enabled that scenario. Will keep you updated once there is more to share. 

0 Likes
Like
jandrewartha
Copper Contributor
‎Jan 29 2021 11:59 PM
‎Jan 29 2021 11:59 PM

Any idea when the application permission UserAuthenticationMethod.ReadWrite.All is going to leave private preview?

0 Likes
Like
Adm-dosmith
Copper Contributor
‎Jan 30 2021 05:26 AM
‎Jan 30 2021 05:26 AM

Have there been recent changes to mfa for cloud only users which would now cause outlook to require an app password even with ms 365 apps for business? 

0 Likes
Like
danielwood95
Microsoft
‎Feb 01 2021 10:25 AM
‎Feb 01 2021 10:25 AM

@jandrewartha -- the Authentication Methods APIs (and that permission) are in beta (public preview). While I can't share an estimated date, the team is working to bring the APIs go GA! 

 

@Adm-dosmith -- no recent changes that I would expect to cause that behavior. 

James Andrewartha
Copper Contributor
‎Feb 01 2021 09:07 PM
‎Feb 01 2021 09:07 PM

@danielwood95https://docs.microsoft.com/en-us/graph/permissions-reference#user-authentication-method-permissions-... says the delegated permission for UserAuthenticationMethod.ReadWrite.All is in preview, but the application permission for UserAuthenticationMethod.ReadWrite.All (which I need) is in private preview.

0 Likes
Like
AndresCanello
Microsoft
‎Feb 03 2021 04:55 PM
‎Feb 03 2021 04:55 PM

Hi @James AndrewarthaUserAuthenticationMethod.*  Application Permissions are now in Public Preview. I'm updating the doc now, thanks for catching it.

0 Likes
Like
gashford
Copper Contributor
‎Sep 07 2021 04:18 AM
‎Sep 07 2021 04:18 AM

Hi @danielwood95,

 

You have stated that "Starting February 1, 2021, for synced users who are using public profile numbers for MFA, Microsoft will copy the public number to users’ corresponding authentication number."

 

Would it be possible to post this code, or at least some snippets that detail the logic?  This would help quite a bit!

 

Thanks,

Graham

0 Likes
Like
Version history
Last update:
‎Aug 19 2021 04:22 PM
Updated by: