Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community

Disable approval popup in MS Authenticator app

Copper Contributor

Hi, 

 

I have a tenant with MFA setup on all accounts and most people have used the Microsoft Authenticator app. Unfortunately someone was silly enough to press approve on their phone when they weren't getting prompted on their PC, and let a hacker in who knew their password. We're trying to educate them better but still I'd like to remove the feature where the they get that popup in the MS Auth app, and make them have to get a code from the app only so they can't accidentally let a hacker in. Can I do this by powershell somehow? I have 50+ users in this tenant and other tenants I may want to change too so not viable to ask them all to setup their MFA again a different way. 

 

Running powershell reports shows they all have two MFA methods of PhoneAppNotification and 

PhoneAppOTP and so I assume I just need to remove PhoneAppNotification. 

I found a script in the below thread to switch the default, but I assume that means a hacker could still try the other method and make their app do a approval popup, I want it removed. 

 

 

https://techcommunity.microsoft.com/t5/azure-active-directory-identity/powershell-cmdlets-for-mfa-se...

 

$m1=New-Object -TypeName Microsoft.Online.Administration.StrongAuthenticationMethod

$m1.IsDefault = $true

$m1.MethodType="PhoneAppNotification"

$m2=New-Object -TypeName Microsoft.Online.Administration.StrongAuthenticationMethod

$m2.IsDefault = $false

$m2.MethodType="PhoneAppOTP"

$m=@($m1,$m2)

set-msoluser -Userprincipalname "UPN" -StrongAuthenticationMethods $m

 

 

Thanks

3 Replies

 

@thomasrw 

The Easiest way to disable this for your users is to go to Per-User MFA and disable it for the tenant.

https://account.activedirectory.windowsazure.com/UserManagement/MfaSettings.aspx

Disable Notifications through Mobile App. 

dougsbaker_0-1652455168857.png

This will disable it for everyone.

 

However, there are other options for you if you still want to keep notifications but make them more secure.  Specifically Notifications Code Match. Use number matching in multifactor authentication (MFA) notifications (Preview) - Azure Active Direc...

you need to go to Azure AD to activate them, here is the link.

Authentication methods - Microsoft Azure

 

 

 

 

 

The first method didn't work, I think because we have security defaults enabled so I don't think anything in that screen works.
But the second option is great, a notification with a short number code that needs to be put in is great, and enabling 'show additional context in notifications' shows more info about the login which is great too.

Thank you
How long does it take to get applied on all the users?