This blog will be about some nice new additions to the MFA authenticator app. I just love the Required numbers part and now we can combine it with some nice location information

I will divide this blog into multiple parts

  1. Introduction to MFA
  2. The 2 things that are(were) missing
  3. Details about we are going to change
  4. Automating it!
  5. The PowerShell Script
  6. Results

I guess everyone now has MFA enabled for all their users, right? But why not step it up a notch because a way better option is to enable the Passwordless option like shown in this (older) blog:

I enabled that option immediately, luckily this option is now also available for outlook.com / Microsoft accounts

But at first use, I had the idea it was missing something. Like some more details about the location from where I was logging in and a more secure way to acknowledge the number instead of just approving it!

Let me explain some more, because in the past when you were receiving this MFA number question, you only needed to click on the right one and nothing more… like shown below

*Source: Aanmelden zonder wachtwoord met de Microsoft Authenticator app – Azure Active Directory | Microsoft Docs

So I am missing some things, let me explain them some more.

The First one:

Like I told you in the introduction, I am/was missing some security. Wouldn’t it be better when getting the MFA prompt, that you need to enter the number manually instead of just selecting one of the 3 options you get? Because it doesn’t take much thinking when you just click on the number and approve…

The Second one:

Sometimes you could get bothered with some ghosts MFA prompt. When an employee would receive an MFA prompt when he wasn’t expecting it, he normally should need to contact the IT department to check it. So wouldn’t it be better for the end-user he could get some more information about the MFA prompt instead of needing to contact the IT department to check it out?

So let’s take a look at how we could make sure these 2 are going to be taken care of.

Before showing you the script we need to take a look at some details first. When do we want to enable that great possibility to require matching numbers and the possibility to show the user some more information we could use the Azure Authentication Method menu blade, right?

But unfortunately, these 2 options aren’t available in the MFA portal yet.

https://portal.azure.com/#blade/Microsoft_AAD_IAM/AuthenticationMethodsMenuBlade/AdminAuthMethods

A little (maybe big) warning!! of course, configuring these options are still in preview and not (yet) to be used in production! So please beware.

But let’s skip that warning and go forth. We need to check out the default settings first, with GRAPH. We need to use GRAPH to do so because the settings aren’t available in the Azure portal like I showed above. Let’s take a look at the default settings first.

You will find these settings in the GRAPH Uri:

https://graph.microsoft.com/beta/policies/authenticationMethodsPolicy/authenticationMethodConfigurations/microsoftAuthenticator

” displayAppInformationRequiredState “: “default”,

“numberMatchingRequiredState”: “default”

So both of these 2 settings are configured to “default”, I guess that just means off 🙂

Of course, we can do it with Graph Explorer, but why not add it to your tenant enrollment script when it is no longer in preview.

Prerequisites. You will need to have created an app registration with some API permissions. So please add them first

Afbeelding met tekst  Automatisch gegenereerde beschrijving

Click on Microsoft Graph and Application Permissions

Afbeelding met tekst  Automatisch gegenereerde beschrijving

Search for Policy.ReadWrite.AuthenticationMethod and add them

When the required permission is added, don’t forget to consent

Now fire up a PowerShell script and copy-paste this content in it to change those values. Of course, you need to change the details of the App to your own app

#configure APP Details here. 

$clientid = "*"
$secret = "*"
$tenantid = "*"

#get the token
$token = Get-MsalToken -ClientId $clientid -ClientSecret (ConvertTo-SecureString $secret -AsPlainText -Force) -TenantId $tenantid -Scope 'https://graph.microsoft.com/.default'
$headers1b = @{
            'Content-Type'='application/json'
          'Authorization'="Bearer " + $token.AccessToken
         'ExpiresOn'=$token.ExpiresOn
          }


$apiurl = "https://graph.microsoft.com/beta/policies/authenticationMethodsPolicy/authenticationMethodConfigurations/microsoftAuthenticator"


$data = @'
{"@odata.context":"https://graph.microsoft.com/beta/$metadata#authenticationMethodConfigurations/$entity","@odata.type":"#microsoft.graph.microsoftAuthenticatorAuthenticationMethodConfiguration","id":"MicrosoftAuthenticator","state":"enabled","includeTargets@odata.context":"https://graph.microsoft.com/beta/$metadata#policies/authenticationMethodsPolicy/authenticationMethodConfigurations('MicrosoftAuthenticator')/microsoft.graph.microsoftAuthenticatorAuthenticationMethodConfiguration/includeTargets","includeTargets":[{"targetType":"group","id":"all_users","isRegistrationRequired":false,"authenticationMode":"any","outlookMobileAllowedState":"default","displayAppInformationRequiredState":"enabled","numberMatchingRequiredState":"enabled"}]}
'@

$Data = Invoke-RestMethod -Headers $headers1b -Uri $apiUrl -Body $data -Method patch -ContentType 'application/json'

numberMatchingRequiredState

So how does it look like when you configured the numberMatchingRequiredState value to enabled, to make sure you need to enter the number instead of just approving it!

displayAppInformationRequiredState

Of course not to forget the displayAppInformationRequiredState, let’s take a look at how wonderful that one looks like and combine it with the required number adjustment

And yes for the people looking at the details… my battery is draining very very fast.

I did love the MFA authenticator already, but with these kinds of improvements, I guess I am deeply in love with it! I can’t wait to enabled them in all the production environments when it’s out of preview!

So Wakan…. ehhh…. MFA authenticator FOREVER!

Forever love perfeito love GIF - Find on GIFER

When posting this blog it is was Sunday… so if you do want to do some more Sunday reading here are some nice ones for you!

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.