cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
SOLVED

Is it possible to prompt a user to authenticate through MS Authenticator when their risk increases?

joeldavideng
Occasional Contributor

‎May 13 2021 05:17 PM - last edited on ‎Jan 14 2022 03:27 PM by

‎May 13 2021 05:17 PM - last edited on ‎Jan 14 2022 03:27 PM by

Is it possible to prompt a user to authenticate through MS Authenticator when their risk increases?

I am looking to prompt my users through the Microsoft Authenticator app when their user risk reaches high. I am using several third part security tools to calculate risk for each user and would really like to be able to prompt users through the MS Authenticator app using a push notification. Is this even possible?

1,357 Views
1 Like
10 Replies
Reply
10 Replies
ChristianJBergstrom

‎May 14 2021 01:46 AM

‎May 14 2021 01:46 AM

Re: Is it possible to prompt a user to authenticate through MS Authenticator when their risk increas

Hello, yes I believe so. But you would have to use AAD P2 with AAD Identity Protection and also only make the Authenticator app available as the MFA option.
1 Like
Reply
Schnittlauch

‎May 14 2021 02:15 AM

‎May 14 2021 02:15 AM

Re: Is it possible to prompt a user to authenticate through MS Authenticator when their risk increas

Hi @joeldavideng ,

I'll follow @ChristianJBergstrom . Here is a link with all informations about Identity Protection.

https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/overview-identity-protec...

Best regards,
Schnittlauch

"First, No system is safe. Second, Aim for the impossible. Third no Backup, no Mercy" - Schnittlauch

My answer helped you? Don't forget to leave a like. Also mark the answer as solved when your problem is solved. :)
0 Likes
Reply
joeldavideng

‎May 14 2021 05:47 AM

‎May 14 2021 05:47 AM

Re: Is it possible to prompt a user to authenticate through MS Authenticator on demand

@Schnittlauch and  @ChristianJBergstrom , thanks for the replies. When I was reading through the docs for Identity Protection, I saw that you can configure User Risk policies, which ultimately lead to a Block or Allow (with password change) option, or you could configure Sign In Risk policies, which lead to Block or Allow (with MFA prompt). I am actually looking for a blend of the two, where users aren't necessarily signing into any new applications, but are exhibiting enough risk I would like them to confirm their identity in the Authenticator app. 

 

I would like to refine my question to, Is is possible to prompt a user to authenticate through the MS Authenticator app on demand?

0 Likes
Reply
ChristianJBergstrom

‎May 14 2021 06:37 AM

‎May 14 2021 06:37 AM

Re: Is it possible to prompt a user to authenticate through MS Authenticator on demand

@joeldavideng Hello, if you have AAD P2 with Identity Protection, sign-in risk and user-risk can be evaluated as part of a conditional access policy. If you then select "require MFA" and also have configured the authenticator app as the only MFA option it should be triggered.

 

Conditions in Conditional Access policy - Azure Active Directory | Microsoft Docs

0 Likes
Reply
joeldavideng

‎May 14 2021 01:09 PM - edited ‎May 14 2021 01:10 PM

‎May 14 2021 01:09 PM - edited ‎May 14 2021 01:10 PM

Re: Is it possible to prompt a user to authenticate through MS Authenticator on demand

@ChristianJBergstrom, I was able to set up a conditional access policy that only prompts a user for MFA if their risk is high when the user logs in, but I was not able to trigger an Authenticator prompt mid-session or if the user is not logged in at all. I believe I will need to pursue other options for triggering prompts based on actions other than logins given the limited number of actions conditional access policies support. Thanks for your help.

0 Likes
Reply
joeldavideng

‎May 14 2021 03:20 PM

‎May 14 2021 03:20 PM

Re: Is it possible to prompt a user to authenticate through MS Authenticator on demand

You are correct, there are a ton of things going on in background with Identity Protection already. What I'm going for is to unify external risk evaluation systems with Azure's risk system. So if my other tools determine a user is high risk, I'd like to be able to utilize Azure's notification system to just prompt the user to click yes or no in MS Authenticator. It sounded a lot like the Identity Protection feature was more open than it actually is for integrating third party tools.
0 Likes
Reply
best response confirmed by joeldavideng (Occasional Contributor)
Thijs Lecomte

‎May 17 2021 03:39 AM

‎May 17 2021 03:39 AM

Solution

Re: Is it possible to prompt a user to authenticate through MS Authenticator on demand

@joeldavideng we manually increase the risk of a user when we discover a breach somewhere else.

That way, the user is prompted for a password change (forcing MFA is not possible ATM).

https://docs.microsoft.com/en-us/graph/api/riskyusers-confirmcompromised?view=graph-rest-beta&tabs=h...

1 Like
Reply
ChristianJBergstrom

‎May 17 2021 04:35 AM

‎May 17 2021 04:35 AM

Re: Is it possible to prompt a user to authenticate through MS Authenticator on demand

Thanks for replying Thijs, just to be clear we should mention that you can do it with the "sign-in risk" and not "user-risk" at the moment, as also confirmed above.
1 Like
Reply
joeldavideng

‎May 18 2021 01:20 PM

‎May 18 2021 01:20 PM

Re: Is it possible to prompt a user to authenticate through MS Authenticator on demand

Thanks Thijs. It sounds like you are implementing something very similar to what I was going for and ran into the same limitation. It's good to have clarity on what is actually possible.
0 Likes
Reply