Advanced Microsoft Authenticator security features are now generally available!
Published Oct 25 2022 07:11 AM 54.2K Views
Microsoft

After announcing the public preview of critical Microsoft Authenticator security features, we’re thrilled today to share that these features are now Generally Available for you to further secure your organization: 

 

  1. Admins can now prevent accidental approvals in Microsoft Authenticator with number matching, location context, and application context. 
  2. Admins can now better manage the Microsoft Authenticator app with new Admin UX and Admin APIs. 

 

For more details about these exciting features, please read below:  

 

Last month, we talked about the increase in MFA fatigue attacks and recommended best practices organizations should adopt to increase their security. To protect you, we’ll automatically enable critical security features to tackle ever-changing threat vectors. At the end of February 2023, we’ll enable number matching for all Authenticator users. We highly recommend that you leverage the rollout controls and deploy these exciting security upgrades to Microsoft Authenticator. 

 

Number matching in Microsoft Authenticator MFA experience 

To prevent accidental approvals and defend against MFA attacks, admins can require users to enter the number displayed on the sign-in screen when approving an MFA request in Authenticator.  

 

Figure 1 - Number MatchingFigure 1 - Number Matching

 

To learn how to enable number matching for your users, click here.  

 

Additional context in Microsoft Authenticator approval requests  

Another way to reduce accidental approvals is to show users additional context in Authenticator notifications. Admins can now selectively choose to enable the following: 

 

  1. Application context: Show users which application they’re signing into. 
  2. Location context: Show users their sign-in location based on the IP address of the device they’re signing into.   
 
 

Figure 2 - Additional Context with number match in notificationsFigure 2 - Additional Context with number match in notifications

 

To learn how to enable additional context for your users, click here.  

 

Refreshed Admin UX and APIs

Admins can now better manage their Microsoft Authenticator app features with our refreshed Admin UX and APIs. Use the new “Configure” tab in the Admin UX to enable/disable different features. It now also includes the highly requested capability to exclude groups from features to assist with smoother feature rollouts. 

 
Note: These rollout controls will be removed for number matching once it has been enabled for all at the end of February 2023. 

 

 

Figure 3 – Refreshed Admin UXFigure 3 – Refreshed Admin UX

 

If you haven’t already, you can use Registration Campaigns to seamlessly deploy the Authenticator app within your organization with these security upgrades to better protect your organization. 

 

Ongoing enhancements for security and usability

 

The Authenticator app is constantly innovating to include enhanced security and experience features. Authenticator on iOS now uses App Transport Security (ATS). This security feature improves the privacy and data integrity between Authenticator and web services. This improvement is now enabled for all and does not impact how you use your app. In addition, users on Android can now search their accounts, with search on iOS rolling out soon. 

 

As always, we want to hear from you! Feel free to leave comments down below or reach out to us on aka.ms/AzureADFeedback. 
 

Best regards, 

Alex Weinert (@Alex_T_Weinert) 

VP Director of Identity Security, Microsoft 

 

 

Learn more about Microsoft identity: 

18 Comments
Co-Authors
Version history
Last update:
‎Oct 25 2022 07:04 AM
Updated by: