Today, a quick tip that I’d like to share with you. When scrolling through Twitter, this tweet caught my attention, and I asked Nathan if I could write this down for everybody to read. So, thanks Nathan for pointing this out. Good catch!

How to enable this

Now, to start off, this “feature” is not officially supported, so don’t use this in your production environment. When enabling this on your tenant, users will be prompted for Code Match with Azure MFA and Phone Sign-in using the Authenticator app. It can only be set using Graph API.

Go to https://aka.ms/ge, make sure you are signed in and have the right permissions to change tenant settings. Run the following query:

GET https://graph.microsoft.com/beta/policies/authenticationMethodsPolicy/authenticationMethodConfigurations/microsoftAuthenticator

Now grab the response, and copy that into the body. Your body might look like this:

{
    "@odata.context": "https://graph.microsoft.com/beta/$metadata#authenticationMethodConfigurations/$entity",
    "@odata.type": "#microsoft.graph.microsoftAuthenticatorAuthenticationMethodConfiguration",
    "id": "MicrosoftAuthenticator",
    "state": "enabled",
    "includeTargets@odata.context": "https://graph.microsoft.com/beta/$metadata#policies/authenticationMethodsPolicy/authenticationMethodConfigurations('MicrosoftAuthenticator')/microsoft.graph.microsoftAuthenticatorAuthenticationMethodConfiguration/includeTargets",
    "includeTargets": [
        {
            "targetType": "group",
            "id": "all_users",
            "isRegistrationRequired": false,
            "authenticationMode": "any",
            "outlookMobileAllowedState": "default",
            "displayAppInformationRequiredState": "default",
            "numberMatchingRequiredState": "default"
        }
    ]
}

Change the value from numberMatchingRequiredStateand to enabled, and select PATCH to update the policy. This will enable Code Match for Azure MFA.

You can also change displayLocationInformationRequiredState to enabled as well, to enable Location and App information on the MFA and sign-in prompts.

displayLocationInformationRequiredState enabled
numberMatchingRequiredState enabled

That’s it for today. Cool right?

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.