Table of Contents
Why to use?
Additional context is now out of preview and you really should enable it as soon as possible, it’s really really important that your users understand where they login from!
Multi-factor authentication is excellent security feature, in the most simplified scenario you need your Username and Password + some form of proof that you are really doing the sign-in to a service.
But if you go where the fence is the lowest or implemented MFA ages ago and didn’t take care of the methods it’s uses after that. You could be facing the risks of MFA fatigue.
MFA fatigue means that after attacker will phish your credentials and once they do, they will sign-in to a service of their wishing and bombard you with endless swarm of MFA request until you accept the request.
To make the sign-in’s visible for your users please enable these. Then educate your users, it’s makes the deployment a lot longer but it’s worth it, I promise you.
What Microsoft Managed is?
With Microsoft Managed Settings, admins can trust Microsoft to enable a security feature they have not explicitly disabled.
If the feature status is set to Microsoft-managed, it will be enabled by Microsoft at an appropriate time after the preview period.
How to change settings
GUI
Go to address https://entra.microsoft.com/#view/Microsoft_AAD_IAM/AuthenticationMethodsMenuBlade/~/AdminAuthMethods
And click on Microsoft Authenticator
Click on enable and choose Configure
Under configure you can see the preview options to manage different settings
Require number matching for push notifications
Show application name in push and passwordless notifications
Show geographic location in push and passwordless notifications
All the settings have three options but Microsoft Managed is the Default one.
Or you can enable them via Microsoft Graph
API
Microsoft Managed is called Default in API calls.
| Property | Type | Description |
|---|---|---|
| numberMatchingRequiredState | authenticationMethodFeatureConfiguration | Require number matching for MFA notifications. Value is ignored for phone sign-in notifications. |
| displayAppInformationRequiredState | authenticationMethodFeatureConfiguration | Determines whether the user is shown application name in Microsoft Authenticator notification. |
| displayLocationInformationRequiredState | authenticationMethodFeatureConfiguration | Determines whether the user is shown geographic location context in Microsoft Authenticator notification. |
In Graph Explorer, ensure you’ve consented to the Policy.Read.All and Policy.ReadWrite.AuthenticationMethod permissions.
Open Graph explorer Graph Explorer | Try Microsoft Graph APIs – Microsoft Graph
Write the URL in the field https://graph.microsoft.com/beta/authenticationMethodsPolicy/authenticationMethodConfigurations/MicrosoftAuthenticator
If you don’t have the permissions set, you will get an error and you have to consent.
It will open the consent menu, then type in the permissions needed.
And identical to the other permission needed
Enable for all users via Graph
Then you can enable the methods to all users with Microsoft Graph
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 |
//Retrieve your existing policy via a GET. //Leverage the Response body to create the Request body section. Then update the Request body similar to the Request body as shown below. //Change the Query to PATCH and Run query { "@odata.context": "https://graph.microsoft.com/beta/$metadata#authenticationMethodConfigurations/$entity", "@odata.type": "#microsoft.graph.microsoftAuthenticatorAuthenticationMethodConfiguration", "id": "MicrosoftAuthenticator", "state": "enabled", "featureSettings": { "displayAppInformationRequiredState": { "state": "enabled", "includeTarget": { "targetType": "group", "id": "all_users" }, "excludeTarget": { "targetType": "group", "id": "00000000-0000-0000-0000-000000000000" } }, "displayLocationInformationRequiredState": { "state": "enabled", "includeTarget": { "targetType": "group", "id": "all_users" }, "excludeTarget": { "targetType": "group", "id": "00000000-0000-0000-0000-000000000000" } } }, "includeTargets@odata.context": "https://graph.microsoft.com/beta/$metadata#authenticationMethodsPolicy/authenticationMethodConfigurations('MicrosoftAuthenticator')/microsoft.graph.microsoftAuthenticatorAuthenticationMethodConfiguration/includeTargets", "includeTargets": [ { "targetType": "group", "id": "all_users", "isRegistrationRequired": false, "authenticationMode": "any", } ] } |
When you run the query again, you will get a response with the same setting than inside the tenant. It’s says Default because that was meaning Microsoft Managed.
Require number matching for push notifications
Show application name in push and passwordless notifications
Show geographic location in push and passwordless notifications
Known issues
Additional context isn’t supported for Network Policy Server (NPS) or Active Directory Federation Services (AD FS).
More information
I wrote about this when it was still in preview and nothing had been changed after that!
Or from Microsoft official documentation
RSS - Posts