Blog Post

Microsoft Entra Blog
2 MIN READ

Upcoming changes to managing MFA methods for hybrid customers

Alex Simons (AZURE)'s avatar
Jan 28, 2021

Howdy folks!

 

In November, I shared that we’re simplifying the MFA management experience to manage all authentication methods directly in Azure AD. This change has been successfully rolled out to cloud-only customers. To make this transition smooth for hybrid customers, starting February 1, 2021, we will be updating the authentication numbers of synced users to accurately reflect the phone numbers used for MFA.

 

Daniel Wood, a Program Manager on the Identity Security team will share the details of this change for hybrid customers. As always, please share your feedback in the comments below or reach out to the team with any questions.

 

Best regards,

Alex Simons (Twitter: Alex_A_Simons)

Corporate Vice President of Program Management

Microsoft Identity Division

 

 

---------------------------------------------------------

 

 

Hi everyone,

 

It’s never been more important to enforce MFA. As part of our efforts to make hybrid MFA deployments simpler and more secure, we’ll be updating empty authentication numbers with users’ public phone numbers if those numbers are being used for MFA. This change doesn’t affect the end user experience, but here’s what you’ll see as an admin after February 1:

 

Changes to user records

Starting February 1, 2021, for synced users who are using public profile numbers for MFA, Microsoft will copy the public number to users’ corresponding authentication number. Once the authentication number is populated, the MFA service will call that authentication number, instead of the public number. Microsoft will copy subsequent changes to the public number over to the authentication number until May 1, 2021 (except deletions of the public number).

 

Managing users’ authentication numbers

Going forward, you can manage your users’ authentication numbers directly in Azure AD using:

 

1. The user authentication methods UX

 

2. Microsoft Graph authentication methods APIs

 

 

3. Microsoft.Graph.Identity.Signins PowerShell module

 

 

4. End users can update their authentication numbers in the security info tab of MyAccount.

 

 

We hope these changes will significantly simplify how users and admins manage their authentication methods while enhancing security. Please let us know your thoughts by leaving a comment below.

 

Best,

Daniel Wood (Twitter: Daniel_E_Wood)

Program Manager,

Microsoft Identity Division

 

Updated Aug 19, 2021
Version 2.0
  • Hi Jan, thanks for the good question! In the previous blog we explained how users have two distinct sets of phone numbers: 

    • Public numbers, which are managed in the user profile and currently only used for MFA if the method is configured for MFA but the corresponding authentication number is empty.
    • Authentication numbers, which are used for MFA, managed in Azure AD  and always kept private.

    As part of this change starting Feb 1, Microsoft will copy synced users' public numbers over to their corresponding authentication numbers only if the public number is currently used for MFA and the corresponding authentication number is empty. That way, all users will continue performing MFA with the same number, but if the user happened to be calling their public number, they would now be calling their authentication number, which is more secure. 

     

    Additionally, in order to give customers a few months to transition to managing authentication methods directly in Azure AD, we will keep public and authentication numbers that are used for MFA in sync until May 1. Subsequent updates to a public number will be copied to the corresponding authentication number as follows: 

    1. For synced users, if the public number and corresponding authentication number are the same, also update the authentication number. 
    2. For synced users, if the public number and corresponding authentication number are different, do not update the authentication number (because the authentication number is already out of sync and being used for MFA).
    3. For synced users, if the public number is deleted, do not delete the corresponding authentication number. Admins should delete authentication numbers directly if necessary. 

    Admins cannot opt out of this copy task. Hope this helps answer your question!

  • jandrewartha -- the Authentication Methods APIs (and that permission) are in beta (public preview). While I can't share an estimated date, the team is working to bring the APIs go GA! 

     

    Adm-dosmith -- no recent changes that I would expect to cause that behavior. 

  • How does this affect customers that has explicitly used other numbers for MFA? Have customers where we have used scripts to populate thousands of users with primarily mobile numbers from user profiles, but also in some cases other fields have been used. Is there an opt-out opportunity for this copy task? The scripts are already using the new APIs. 

  • apnet1205's avatar
    apnet1205
    Copper Contributor

    Hi,

    Any news on being able to manage/upload/activate OATH OTP tokens via the API?

    thanks,

  • We don't have any news to there, but the team is working to eventually to enabled that scenario. Will keep you updated once there is more to share. 

  • jandrewartha's avatar
    jandrewartha
    Copper Contributor

    Any idea when the application permission UserAuthenticationMethod.ReadWrite.All is going to leave private preview?

  • Adm-dosmith's avatar
    Adm-dosmith
    Copper Contributor

    Have there been recent changes to mfa for cloud only users which would now cause outlook to require an app password even with ms 365 apps for business? 

  • Hi jandrewartha1UserAuthenticationMethod.*  Application Permissions are now in Public Preview. I'm updating the doc now, thanks for catching it.

  • gashford's avatar
    gashford
    Copper Contributor

    Hi danielwood95,

     

    You have stated that "Starting February 1, 2021, for synced users who are using public profile numbers for MFA, Microsoft will copy the public number to users’ corresponding authentication number."

     

    Would it be possible to post this code, or at least some snippets that detail the logic?  This would help quite a bit!

     

    Thanks,

    Graham