Additional context in Microsoft Authenticator notifications is now generally available!

Why to use?

Additional context is now out of preview and you really should enable it as soon as possible, it’s really really important that your users understand where they login from!

Multi-factor authentication is excellent security feature, in the most simplified scenario you need your Username and Password + some form of proof that you are really doing the sign-in to a service.

But if you go where the fence is the lowest or implemented MFA ages ago and didn’t take care of the methods it’s uses after that. You could be facing the risks of MFA fatigue.

MFA fatigue means that after attacker will phish your credentials and once they do, they will sign-in to a service of their wishing and bombard you with endless swarm of MFA request until you accept the request.

To make the sign-in’s visible for your users please enable these. Then educate your users, it’s makes the deployment a lot longer but it’s worth it, I promise you.

What Microsoft Managed is?

With Microsoft Managed Settings, admins can trust Microsoft to enable a security feature they have not explicitly disabled.

If the feature status is set to Microsoft-managed, it will be enabled by Microsoft at an appropriate time after the preview period.

How to change settings


Go to address

And click on Microsoft Authenticator

Click on enable and choose Configure

Under configure you can see the preview options to manage different settings

Require number matching for push notifications

Show application name in push and passwordless notifications

Show geographic location in push and passwordless notifications

All the settings have three options but Microsoft Managed is the Default one.

Or you can enable them via Microsoft Graph


Microsoft Managed is called Default in API calls.

PropertyType Description
numberMatchingRequiredStateauthenticationMethodFeatureConfigurationRequire number matching for MFA notifications. Value is ignored for phone sign-in notifications.
displayAppInformationRequiredStateauthenticationMethodFeatureConfiguration Determines whether the user is shown application name in Microsoft Authenticator notification.
displayLocationInformationRequiredStateauthenticationMethodFeatureConfigurationDetermines whether the user is shown geographic location context in Microsoft Authenticator notification.

In Graph Explorer, ensure you’ve consented to the Policy.Read.All and Policy.ReadWrite.AuthenticationMethod permissions.

Open Graph explorer Graph Explorer | Try Microsoft Graph APIs – Microsoft Graph

Write the URL in the field

If you don’t have the permissions set, you will get an error and you have to consent.

It will open the consent menu, then type in the permissions needed.

And identical to the other permission needed

Enable for all users via Graph

Then you can enable the methods to all users with Microsoft Graph

When you run the query again, you will get a response with the same setting than inside the tenant. It’s says Default because that was meaning Microsoft Managed.

Require number matching for push notifications

Show application name in push and passwordless notifications

Show geographic location in push and passwordless notifications

Known issues

Additional context isn’t supported for Network Policy Server (NPS) or Active Directory Federation Services (AD FS).

More information

I wrote about this when it was still in preview and nothing had been changed after that!

Or from Microsoft official documentation

Author: Harri Jaakkonen

Leave a Reply

Your email address will not be published. Required fields are marked *