Postponed timeline for Number matching

First the good news. Well maybe not good security wise but at least you still have time to Educate and enable before it will be enforced.

Number matching enforcement is still in the horizon Also SSPR and legacy MFA policies will be deprecated (phased).

Don’t act too late on either of them. If you need to educate users, you can use these excellent templates from Martin Coetzer’s team

Enable Number matching

In Microsoft Authenticator, number matching represents a significant security improvement over conventional second factor alerts.

Starting on 8th of May 2023, Microsoft will eliminate the admin controls and require all users to use the number match experience tenant-wide.
You should turn on number matching as soon as possible for increased sign-in security. After 8th of Maybe 2023, relevant services will start implementing these modifications, and users will start to notice number matching in approval requests. Some users may receive number matches when services are deployed, while others may not.

Open authentication methods from https://entra.microsoft.com/#view/Microsoft_AAD_IAM/AuthenticationMethodsMenuBlade/~/AdminAuthMethods

My best guess is that status will be Microsoft Managed after Enforcement and you cannot select any targets. It will just enabled and enforced without any possibility for switching it off.

How it will look for the end-user?

When you enable number matching, you will be displayed the number inside Microsoft portal

And you have to enter it to your Authenticator

First time number match

With Teams

Notice that the number will be hidden behind the prompt, just press “I can’t see the number” and it will be briefly displayed.

With browser

And choose “Approve sign-in” from above to get the prompt

Why the enforcement?

Well one reason is MFA fatigue attacks.

Multi-factor authentication is excellent security feature, in the most simplified scenario you need your Username and Password + some form of proof that you are really doing the sign-in to a service.

But if you go where the fence is the lowest or implemented MFA ages ago and didn’t take care of the methods it’s uses after that. You could be facing the risks of MFA fatigue.

MFA fatigue means that after attacker will phish your credentials and once they do, they will sign-in to a service of their wishing and bombard you with endless swarm of MFA request until you accept the request.

Migrate MFA and SSPR policy settings to the Authentication methods

For now policy settings can be moved at your own pace, and the procedure is completely reversible. While you specifically specify authentication methods for users and groups in the Authentication methods policy, you can continue to employ tenant-wide MFA and SSPR policies. When you’re ready to manage all authentication methods collectively in the Authentication methods policy, you finish the migration.

Legacy MFA

See your existing MFA policies from https://account.activedirectory.windowsazure.com/usermanagement/mfasettings.aspx

See what policy compares to what

Multifactor authentication policyAuthentication method policy
Call to phoneVoice calls
Text message to phoneSMS
Notification through mobile appMicrosoft Authenticator
Verification code from mobile app or hardware tokenThird party software OATH tokens
Hardware OATH tokens (not yet available)
Microsoft Authenticator

Self-service Password reset (SSPR)

Set Authentication methods from https://entra.microsoft.com/#view/Microsoft_AAD_IAM/PasswordResetMenuBlade/~/AuthenticationMethods

And what methods are compared to what

SSPR authentication methodsAuthentication method policy
Mobile app notificationMicrosoft Authenticator
Mobile app codeMicrosoft Authenticator
Software OATH tokens
EmailEmail OTP
Mobile phoneVoice calls
SMS
Office phoneVoice calls
Security questionsNot yet available; copy questions for later use

Enable Microsoft Authenticator for All users in the Authentication methods policy if Notification through Mobile App is enabled in the traditional MFA policy. To enable push notifications or passwordless authentication, set the authentication mode to Any.

Set Allow usage of Microsoft Authenticator OTP to Yes if Verification code from mobile app or hardware token is enabled in the traditional MFA policy.

Manage migration

The legacy rules for self-service password reset and multifactor authentication will be phased out in January 2024, and you’ll control all authentication methods here in the authentication methods policy.

Closure

As we discovered in this post, the dates to remember are 8th of May 2023 and January 2024. First for number matching and second for phased deprecation legacy MFA and SSPR features.

Be prepared for them and educate, educate, test and enable!

Author: Harri Jaakkonen

Leave a Reply

Your email address will not be published. Required fields are marked *