Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community
Modernizing Authentication Management
Published May 09 2023 09:00 AM 15.3K Views
Microsoft

We’re thrilled to announce two key updates to how you manage your authentication experiences! The General Availability of Converged Authentication Methods and Public Preview of a modernized version of multifactor authentication (MFA) Fraud Alert. 

 

The General Availability of Converged Authentication Methods allows all methods used for authentication and password reset to be centrally managed and with more control, providing the ability to target groups of users.  

 

The Public Preview of modern MFA Fraud Alert brings the configuration into the authentication methods policy and integrates this user-reported signal of suspicious MFA prompts with Identity protection. 

 

Converged Authentication Methods 

Historically, methods had to be managed separately for MFA and self-service password reset. Now, they can both be managed in one policy alongside passwordless methods like FIDO2 security keys and certificate-based authentication. Newly added methods include SMS, Voice Calls, Third-party Software OATH, and Email OTP.  

 

SHDriggers_0-1678896720146.png

 

 

Methods can now be managed more granularly, with the option to enable them for specific groups of users instead of all users and the ability to exclude groups of users from being targeted. This means you can perform actions like trial methods with pilot groups and limit lower security methods like SMS and Voice to smaller groups of users. 

 

SHDriggers_1-1678791449704.png

 

 

We’ve also added a migration control to help you migrate methods from the legacy MFA and self-service password reset policies to the authentication methods policy. The control lets you move and test methods individually, before having to disable methods in the legacy policies.  

 

 

SHDriggers_2-1678730621461.png

 
Later in 2024 we’ll be deprecating the ability to manage authentication methods in the legacy policies. As you migrate, we recommend stepping up your security posture by moving away from SMS and Voice , and enabling more secure methods like Microsoft Authenticator and FIDO2 Security keys, if you haven’t already.  

 

Learn more about managing authentication methods and migrating to the authentication methods policy, and migrate ASAP! 

 

Report Suspicious Activity 

Azure Active Directory (Azure AD) has had the MFA Fraud Alert feature, which enabled users to report suspicious MFA prompts they received on the Microsoft Authenticator app or via phone. Users had the option to be added to a block list where the user would no longer receive MFA prompts until removed, a manual task for admins. Administration of Fraud Alert and the blocklist all required Global Admin privileges. We’ve modernized Fraud Alert with Report Suspicious Activity, moving the configuration for the feature to the authentication methods policy to enable configuration from the same location as other authentication related settings. Now we’ve integrated the alert events with Identity Protection for more comprehensive and configurable action once a user reports a prompt. 

 

You can enable Report Suspicious Activity, and target either all of your users or an initial test group, via the new Settings in the Authentication methods UX, or via the authentication methods MSGraph API. 

 

 

SHDriggers_3-1678730621463.png

 

Once enabled, if a user reports a MFA phone app push notification or voice MFA prompt as suspicious, the user account will be marked with user risk High. You can then use risk-based policies to have greater control over the specific remediation for these users, whether it’s requiring immediate password change through self-service password reset, requiring MFA for all authentications until the risk is remediated, or blocking authentication until the risk is remediated.   

 

SHDriggers_0-1679611522396.png

 

If you don’t have P2, you can also use the risk event to disable the account until the risk can be remediated, for similar functionality to the legacy MFA blocklist. 

 

Report Suspicious Activity will function in parallel with the legacy MFA Fraud Alert during preview, so if you have Fraud Alert enabled with automatic blocking, you’ll need to both remediate the risk for users in scope for Report Suspicious Activity as well as remove the user from the MFA blocklist. 

 

Learn more about configuring Report Suspicious Activity and how to leverage risk-based policies and try Suspicious Activity now. 

 

As always, let us know your feedback. 

 

Best regards,   

Alex Weinert (@Alex_T_Weinert)   

VP Director of Identity Security, Microsoft  

 

 

Learn more about Microsoft identity: 

7 Comments
Co-Authors
Version history
Last update:
‎Mar 23 2023 03:45 PM
Updated by: