Just last month, a multi-factor authentication (MFA) fatigue attack on Uber left everyone reeling. It’s the type of attack where a hacker sends spamming push notifications to an employee on their app, asking for verification to log in to their application.
While every attack is different, there are some MFA security basics that your organization can enable to make your MFA posture harder to exploit.
We recently wrote about the best practice of enabling number matching for MFA.
In this guide, we’re going to discuss enabling additional context on Microsoft Authenticator notifications and walk through the steps.
Adding Additional Context for Multi-factor Authentication
When an employee receives an MFA notification, what information can they see about that request? That depends on your settings.
By enabling additional context for Microsoft authenticator notifications, you will display two kinds of additional information on your Microsoft Authenticator app.
You will see on your app the application name attempting to ask for sign-in approval. Secondly, you’ll receive the location based on the IP address for the same approval request.
This will help you identify the user, the application they are attempting to log in, and their location, which might prevent an employee from accidentally approving a malicious MFA request.
How to Enabling Additional Context for MFA Requests
You can add additional context for MFA requests by adjusting settings either in the Azure Portal or by changing the policy schema directly.
Using the Azure Portal:
You can enable additional context on MFA requests with a few steps in the Azure Portal. The screenshots below are from Azure documentation:
1. Navigate to the Azure AD Portal.
2. Click Security, then Authentication methods, then Microsoft Authenticator.
3. Go to the Basics tab. Under Enable, select Yes.
4. To apply this change to all users, select All users and then choose Any for Authentication mode.
5. Go to the Configure tab. You’ll see a section called “Show application name in push and passwordless notifications”. Select Enabled for Status, and All users for the target group.
6. You can do the same steps for the section titled “Show geographic location in push and passwordless notifications”.
7. You can click Save to apply these changes to everyone with Microsoft Authenticator enabled. You can also include or exclude groups if it makes sense.
Using Updates to the Policy Schema:
You can also enable additional context by making updates to the policy schema. This method allows you to create and define custom policies to respond to sign-in events.
One prerequisite for this method is that you are using the new policy schema for Microsoft Graph APIs.
To enable the application name and geographic location for MFA notifications, you can use the following API endpoint:
Under the featureSettings section, you’ll need to change the state to enabled for:
Here are the steps:
1. First, to ensure that you aren’t overwriting anything unintentionally, you should retrieve your current policy schema with a GET request:
2. Next, use the response body to change the state to enabled and specify the target groups for both displayAppInformationRequiredState and displayLocationInformationRequiredState. In the example below, these changes are applied to all users enabled for Microsoft Authenticator. Non-enabled users won’t see these features. You can narrow the targeting by using includeTarget and excludeTarget for certain groups using group ids.
3. With your now updated schema, run a PATCH request to the same endpoint.
4. To verify that your configurations have been applied correctly, run the same GET step to see the current schema.
Now you have enabled additional context for MFA notifications and improved your security posture. For more ways to improve your security, check out some of our other Azure how-to guides:
- Identifying Azure Users with Non-Compliant Password Expiration Settings
- Finding and Disabling Non-Active Users in Azure
- How to Detect and Remove Unattached Azure Public IP Addresses
- Finding and Removing Unused Azure Virtual Network Gateways
Automating MFA Enhancements with Blink
You can make these MFA enhancements manually, but checking your compliance status and making continual policy updates over time requires serious context-switching.
With an automation platform like Blink, you can run checks to ensure that your MFA standards apply to all users and that new updates are implemented at scale. If your security practices involve multiple tools and multiple MFA policies, managing them all from one platform can make it easier to respond quickly and ensure strong security settings.
Create your free Blink account and strengthen your security processes today.