How to Enable Additional Context for Microsoft Authenticator MFA Notifications

Strong MFA settings are an important way to boost your organization's security posture. In this guide, we'll show you how to enable additional context to show up on all MFA notifications.

Patrick Londa
Author
Oct 27, 2022
 • 
5
 min read
Share this post

Just last month, a multi-factor authentication (MFA) fatigue attack on Uber left everyone reeling. It’s the type of attack where a hacker sends spamming push notifications to an employee on their app, asking for verification to log in to their application.

While every attack is different, there are some MFA security basics that your organization can enable to make your MFA posture harder to exploit.

We recently wrote about the best practice of enabling number matching for MFA.

In this guide, we’re going to discuss enabling additional context on Microsoft Authenticator notifications and walk through the steps.

blink logo
azure logo
Blink Automation: Enable Additional Context MFA Settings for a User Group
Blink + Azure
Get Started

Adding Additional Context for Multi-factor Authentication

When an employee receives an MFA notification, what information can they see about that request? That depends on your settings.

By enabling additional context for Microsoft authenticator notifications, you will display two kinds of additional information on your Microsoft Authenticator app.

You will see on your app the application name attempting to ask for sign-in approval. Secondly, you’ll receive the location based on the IP address for the same approval request.

This will help you identify the user, the application they are attempting to log in, and their location, which might prevent an employee from accidentally approving a malicious MFA request.

How to Enabling Additional Context for MFA Requests

You can add additional context for MFA requests by adjusting settings either in the Azure Portal or by changing the policy schema directly.

Using the Azure Portal:

You can enable additional context on MFA requests with a few steps in the Azure Portal. The screenshots below are from Azure documentation:

1. Navigate to the Azure AD Portal.

2. Click Security, then Authentication methods, then Microsoft Authenticator.

3. Go to the Basics tab. Under Enable, select Yes.

Basics tab of Microsoft Authenticator Settings

4. To apply this change to all users, select All users and then choose Any for Authentication mode.

mfa authentication mode

5. Go to the Configure tab. You’ll see a section called “Show application name in push and passwordless notifications”. Select Enabled for Status, and All users for the target group.

application name for mfa notifications

6. You can do the same steps for the section titled “Show geographic location in push and passwordless notifications”.

geographic location for mfa notifications

7. You can click Save to apply these changes to everyone with Microsoft Authenticator enabled. You can also include or exclude groups if it makes sense.

Using Updates to the Policy Schema:

You can also enable additional context by making updates to the policy schema. This method allows you to create and define custom policies to respond to sign-in events.

One prerequisite for this method is that you are using the new policy schema for Microsoft Graph APIs.

To enable the application name and geographic location for MFA notifications, you can use the following API endpoint:

  • https://graph.microsoft.com/v1.0/authenticationMethodsPolicy/authenticationMethodConfigurations/MicrosoftAuthenticator

Under the featureSettings section, you’ll need to change the state to enabled for: 

  • displayAppInformationRequiredState
  • displayLocationInformationRequiredState

Here are the steps:

1. First, to ensure that you aren’t overwriting anything unintentionally, you should retrieve your current policy schema with a GET request:

GET 
https://graph.microsoft.com/v1.0/authenticationMethodsPolicy/authenticationMethodConfigurations/MicrosoftAuthenticator

2. Next, use the response body to change the state to enabled and specify the target groups for both displayAppInformationRequiredState and displayLocationInformationRequiredState. In the example below, these changes are applied to all users enabled for Microsoft Authenticator. Non-enabled users won’t see these features. You can narrow the targeting by using includeTarget and excludeTarget for certain groups using group ids.

{
    "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#authenticationMethodConfigurations/$entity",
    "@odata.type": "#microsoft.graph.microsoftAuthenticatorAuthenticationMethodConfiguration",
    "id": "MicrosoftAuthenticator",
    "state": "enabled",
    "featureSettings": {
        "displayAppInformationRequiredState": {
            "state": "enabled",
            "includeTarget": {
                "targetType": "group",
                "id": "all_users"
            },
            "excludeTarget": {
                "targetType": "group",
                "id": "00000000-0000-0000-0000-000000000000"
            }
        },
        "displayLocationInformationRequiredState": {
            "state": "enabled",
            "includeTarget": {
                "targetType": "group",
                "id": "all_users"
            },
            "excludeTarget": {
                "targetType": "group",
                "id": "00000000-0000-0000-0000-000000000000"
            }
        }
    },
    "includeTargets@odata.context": "https://graph.microsoft.com/v1.0/$metadata#authenticationMethodsPolicy/authenticationMethodConfigurations('MicrosoftAuthenticator')/microsoft.graph.microsoftAuthenticatorAuthenticationMethodConfiguration/includeTargets",
    "includeTargets": [
        {
            "targetType": "group",
            "id": "all_users",
            "isRegistrationRequired": false,
            "authenticationMode": "any",
        }
    ]
}

3. With your now updated schema, run a PATCH request to the same endpoint.

4. To verify that your configurations have been applied correctly, run the same GET step to see the current schema.

Now you have enabled additional context for MFA notifications and improved your security posture. For more ways to improve your security, check out some of our other Azure how-to guides:

Automating MFA Enhancements with Blink

You can make these MFA enhancements manually, but checking your compliance status and making continual policy updates over time requires serious context-switching.

With an automation platform like Blink, you can run checks to ensure that your MFA standards apply to all users and that new updates are implemented at scale. If your security practices involve multiple tools and multiple MFA policies, managing them all from one platform can make it easier to respond quickly and ensure strong security settings.

Get started with Blink and strengthen your security processes today.

Automate your security operations everywhere.

Blink is secure, decentralized, and cloud-native. 
Get modern cloud and security operations today.

Get a Demo