Microsoft managed Authentication Methods Policy (Preview)

Posted by Harri Jaakkonen Posted on 03/09/2022 0 Comments on Microsoft managed Authentication Methods Policy (Preview)
Posted in Azure, Azure AD, Identity, Security

What Microsoft Managed is?

With Microsoft Managed Settings, admins can trust Microsoft to enable a security feature they have not explicitly disabled.

If the feature status is set to Microsoft-managed, it will be enabled by Microsoft at an appropriate time after the preview period.

How to change settings

GUI

Go to address https://portal.azure.com/#view/Microsoft_AAD_IAM/AuthenticationMethodsMenuBlade/~/AdminAuthMethods

And click on Microsoft Authenticator

Click on enable and choose Configure

Under configure you can see the preview options to manage different settings

Require number matching for push notifications (Preview)

Show application name in push and passwordless notifications (Preview)

Show geographic location in push and passwordless notifications (Preview)

All the settings have three options but Microsoft Managed is the Default one.

Or you can enable them via Microsoft Graph

API

Microsoft Managed is called Default in API calls.

PropertyType Description
numberMatchingRequiredStateauthenticationMethodFeatureConfigurationRequire number matching for MFA notifications. Value is ignored for phone sign-in notifications.
displayAppInformationRequiredStateauthenticationMethodFeatureConfiguration Determines whether the user is shown application name in Microsoft Authenticator notification.
displayLocationInformationRequiredStateauthenticationMethodFeatureConfigurationDetermines whether the user is shown geographic location context in Microsoft Authenticator notification.

In Graph Explorer, ensure you’ve consented to the Policy.Read.All and Policy.ReadWrite.AuthenticationMethod permissions.

Open Graph explorer Graph Explorer | Try Microsoft Graph APIs – Microsoft Graph

Write the URL in the field https://graph.microsoft.com/beta/authenticationMethodsPolicy/authenticationMethodConfigurations/MicrosoftAuthenticator

If you don’t have the permissions set, you will get an error and you have to consent.

It will open the consent menu, then type in the permissions needed.

And select consent on behalf

And identical to the other permission needed

When you run the query again, you will get a response with the same setting than inside the tenant. It’s says Default because that was meaning Microsoft Managed.

Microsoft has excellent instruction on how to enable these features via API calls

Use number matching in multifactor authentication (MFA) notifications (Preview) – Azure Active Directory – Microsoft Entra
Learn how to use number matching in MFA notifications

And this is what they look like to end-users

Require number matching for push notifications (Preview)

Show application name in push and passwordless notifications (Preview)

Show geographic location in push and passwordless notifications (Preview)

So now you can control these settings through Azure portal or with API calls. The default is Microsoft Managed but you can Disable or Enable.

Nice feature controls to have inside Azure portal.

Author: Harri Jaakkonen

Leave a Reply

Your email address will not be published. Required fields are marked *