Two upcoming changes coming to the tenant near you! Number matching will be enforced. Also SSPR and legacy MFA policies will be deprecated (phased).
Don’t act too late on either of them. If you need to educate users, you can use these excellent templates from Martin Coetzer’s team
Table of Contents
Enable Number matching
In Microsoft Authenticator, number matching represents a significant security improvement over conventional second factor alerts.
Starting on February 27, 2023, Microsoft will eliminate the admin controls and require all users to use the number match experience tenant-wide.
You should turn on number matching as soon as possible for increased sign-in security. After February 27, 2023, relevant services will start implementing these modifications, and users will start to notice number matching in approval requests. Some users may receive number matches when services are deployed, while others may not.
Open authentication methods from https://entra.microsoft.com/#view/Microsoft_AAD_IAM/AuthenticationMethodsMenuBlade/~/AdminAuthMethods
My best guess is that status will be Microsoft Managed after February 27th and you cannot select any targets. It will just enabled and enforced without any possibility for switching it off.
How it will look for the end-user?
When you enable number matching, you will be displayed the number inside Microsoft portal
And you have to enter it to your Authenticator
First time number match
Notice that the number will be hidden behind the prompt, just press “I can’t see the number” and it will be briefly displayed.
And choose “Approve sign-in” from above to get the prompt
Why the enforcement?
Well one reason is MFA fatigue attacks.
Multi-factor authentication is excellent security feature, in the most simplified scenario you need your Username and Password + some form of proof that you are really doing the sign-in to a service.
But if you go where the fence is the lowest or implemented MFA ages ago and didn’t take care of the methods it’s uses after that. You could be facing the risks of MFA fatigue.
MFA fatigue means that after attacker will phish your credentials and once they do, they will sign-in to a service of their wishing and bombard you with endless swarm of MFA request until you accept the request.
Migrate MFA and SSPR policy settings to the Authentication methods
For now policy settings can be moved at your own pace, and the procedure is completely reversible. While you specifically specify authentication methods for users and groups in the Authentication methods policy, you can continue to employ tenant-wide MFA and SSPR policies. When you’re ready to manage all authentication methods collectively in the Authentication methods policy, you finish the migration.
See your existing MFA policies from https://account.activedirectory.windowsazure.com/usermanagement/mfasettings.aspx
See what policy compares to what
|Multifactor authentication policy||Authentication method policy|
|Call to phone||Voice calls|
|Text message to phone||SMS|
|Notification through mobile app||Microsoft Authenticator|
|Verification code from mobile app or hardware token||Third party software OATH tokens|
Hardware OATH tokens (not yet available)
Self-service Password reset (SSPR)
And what methods are compared to what
|SSPR authentication methods||Authentication method policy|
|Mobile app notification||Microsoft Authenticator|
|Mobile app code||Microsoft Authenticator|
Software OATH tokens
|Mobile phone||Voice calls|
|Office phone||Voice calls|
|Security questions||Not yet available; copy questions for later use|
Enable Microsoft Authenticator for All users in the Authentication methods policy if Notification through Mobile App is enabled in the traditional MFA policy. To enable push notifications or passwordless authentication, set the authentication mode to Any.
Set Allow usage of Microsoft Authenticator OTP to Yes if Verification code from mobile app or hardware token is enabled in the traditional MFA policy.
The legacy rules for self-service password reset and multifactor authentication will be phased out in January 2024, and you’ll control all authentication methods here in the authentication methods policy.
As we discovered in this post, the dates to remember are 27th of February 2023 and January 2024. First for number matching and second for phased deprecation legacy MFA and SSPR features.
Be prepared for them and educate, educate, test and enable!