Table of Contents
What Microsoft Managed is?
With Microsoft Managed Settings, admins can trust Microsoft to enable a security feature they have not explicitly disabled.
If the feature status is set to Microsoft-managed, it will be enabled by Microsoft at an appropriate time after the preview period.
How to change settings
GUI
Go to address https://portal.azure.com/#view/Microsoft_AAD_IAM/AuthenticationMethodsMenuBlade/~/AdminAuthMethods
And click on Microsoft Authenticator
Click on enable and choose Configure
Under configure you can see the preview options to manage different settings
Require number matching for push notifications (Preview)
Show application name in push and passwordless notifications (Preview)
Show geographic location in push and passwordless notifications (Preview)
All the settings have three options but Microsoft Managed is the Default one.
Or you can enable them via Microsoft Graph
API
Microsoft Managed is called Default in API calls.
Property | Type | Description |
---|---|---|
numberMatchingRequiredState | authenticationMethodFeatureConfiguration | Require number matching for MFA notifications. Value is ignored for phone sign-in notifications. |
displayAppInformationRequiredState | authenticationMethodFeatureConfiguration | Determines whether the user is shown application name in Microsoft Authenticator notification. |
displayLocationInformationRequiredState | authenticationMethodFeatureConfiguration | Determines whether the user is shown geographic location context in Microsoft Authenticator notification. |
In Graph Explorer, ensure you’ve consented to the Policy.Read.All and Policy.ReadWrite.AuthenticationMethod permissions.
Open Graph explorer Graph Explorer | Try Microsoft Graph APIs – Microsoft Graph
Write the URL in the field https://graph.microsoft.com/beta/authenticationMethodsPolicy/authenticationMethodConfigurations/MicrosoftAuthenticator
If you don’t have the permissions set, you will get an error and you have to consent.
It will open the consent menu, then type in the permissions needed.
And select consent on behalf
And identical to the other permission needed
When you run the query again, you will get a response with the same setting than inside the tenant. It’s says Default because that was meaning Microsoft Managed.
Microsoft has excellent instruction on how to enable these features via API calls
And this is what they look like to end-users
Require number matching for push notifications (Preview)
Show application name in push and passwordless notifications (Preview)
Show geographic location in push and passwordless notifications (Preview)
So now you can control these settings through Azure portal or with API calls. The default is Microsoft Managed but you can Disable or Enable.
Nice feature controls to have inside Azure portal.