How to Enable MFA Number Matching for All Azure Users

Enhance security by enabling MFA number matching for all Azure users. Learn how to set it up for Microsoft Authenticator.

Patrick Londa
Author
Oct 20, 2022
 • 
5
 min read
Share this post

It is not unusual to think that all you need to do with an Azure MFA is set it up and be done. Azure MFAs are a great way to provide security for your data and apps without sacrificing simplicity. But MFA attacks have recently been on the rise, and a little extra protection for safeguarding your data can go a long way. 

One way to strengthen your MFA strategy is by enabling "MFA Number Matching" for all of your Azure users. But what does this mean, and how do you do this?

Simply put, number matching is a security upgrade for the Authenticator app. It provides improved sign-in security on top of the second-factor notifications. It will soon be available for everyone by default after general availability. However, you may want to enable it immediately due to MFA spamming or MFA Fatigue attacks. These attacks take advantage of your user's simple approvals, including voice, SMS, or push notifications, with little to no context as to what the user is authenticating. 

Number matching combats MFA attacks by giving users a string of numbers to type into the app to verify their approvals. This raises the barrier to approval slightly, which when implemented across your organization, strengthens your security posture.

blink logo
azure logo
Blink Automation: Enable MFA Number Matching for a User Group
Blink + Azure
Get Started

Enabling MFA Number Matching for All Azure Users

Before we go through the steps for enabling number matching, you need to enable Microsoft Authenticator to send push notifications using an Authentication methods policy. This is the traditional second-factor notification. The Authentication methods policy can be edited when using the Azure portal or Microsoft Graph API. For ADFS adapters or NPS extensions, make sure you have their latest versions.

To enable MFA Number Matching, you can either use the Azure Portal or by making changes to the policy schema.

Using the Microsoft Azure Portal

  1. Sign into Microsoft Azure Portal with the account associated with your app or organization
  2. Click on Menu and locate the Azure Active Directory or Azure AD. The icon appears as a bright blue arrowhead.
  3. Click on Security to see your security safeguards and protection measures. The icon appears as a blue shield.
  4. Now that you are in the Security tab click on Authentication Methods in the security menu. You will find it under Manage.
  5. Now inside the Authentication Methods tab, select Policies in the menu under Manage.
  6. Locate Microsoft Authenticator and click it
  7. Click on the Basics tab where you will configure the following settings:
  • Enable: Yes
  • Target: All users
  • Authentication mode: Any

This should now enable the MFA Number Matching safeguard. 

To test that the MFA number matching is working now, here are the steps to try it on a group or test account:

1. Change the Target from All users to Select users and select the account you wish to test on.

2. Click on the Configure tab

3. Configure the settings for Require number matching for push notifications to the following locations and save them:

  • Status: Enabled
  • Target: Include --> All users

4. After confirming these settings, test the number matching by logging into the targeted Microsoft account in the Microsoft portal on a different device or window/tab. This should provide an authentication prompt with a randomly generated number. Enter this generated number in the Microsoft Authenticator app and tap Yes to approve or verify that the sign-in attempt is from you.

5. You should now have successfully signed into your Microsoft account.

Using Changes to the Policy Schema

You can also make changes to the policy schema to enable number matching. Make sure you are using the new policy schema for Microsoft Graph APIs. 

To enable number matching, you can use the following API endpoint to change the numberMatchingRequiredState under feature settings to enabled:

  • https://graph.microsoft.com/v1.0/authenticationMethodsPolicy/authenticationMethodConfigurations/MicrosoftAuthenticator

Here are the steps to enabling MFA number matching with policy schema changes:

1. Retrieve your current policy schema with a GET request:

GET 
https://graph.microsoft.com/v1.0/authenticationMethodsPolicy/authenticationMethodConfigurations/MicrosoftAuthenticator

By doing this, you can preserve previous configurations and update only the relevant schema section.

2. Under the featureSettings, change the numberMatchingRequiredState from default to enabled. You can specify who you want this change to impact by specifying users or groups to include or exclude. In this example, the target group is all users, and you can see that number matching is enabled:

{
    "@odata.context": "https://graph.microsoft.com/beta/$metadata#authenticationMethodConfigurations/$entity",
    "@odata.type": "#microsoft.graph.microsoftAuthenticatorAuthenticationMethodConfiguration",
    "id": "MicrosoftAuthenticator",
    "state": "enabled",
    "featureSettings": {
        "numberMatchingRequiredState": {
            "state": "enabled",
            "includeTarget": {
                "targetType": "group",
                "id": "all_users"
            },
            "excludeTarget": {
                "targetType": "group",
                "id": "00000000-0000-0000-0000-000000000000"
            }
      }
    },
    "includeTargets@odata.context": "https://graph.microsoft.com/beta/$metadata#authenticationMethodsPolicy/authenticationMethodConfigurations('MicrosoftAuthenticator')/microsoft.graph.microsoftAuthenticatorAuthenticationMethodConfiguration/includeTargets",
    "includeTargets": [
        {
            "targetType": "group",
            "id": "all_users",
            "isRegistrationRequired": false,
            "authenticationMode": "any",        
        }
    ]
}

3. With your updated schema, run a PATCH request to the same endpoint.

4. Confirm the configurations have been applied by running the same GET request from the first step.

By completing these steps, you will have enabled number matching for all users enabled for Microsoft Authenticator. It will have no impact on users using "passwordless phone sign-ins" because it is already part of the passwordless experience.

Automating MFA Enforcements with Blink

You can make these MFA enhancements manually, but checking your compliance status and making continual policy updates over time requires serious context-switching.

With an automation platform like Blink, you can run checks to ensure that your MFA standards apply to all users and that new updates are implemented at scale. If your security practices involve multiple tools and multiple MFA policies, managing them all from one place can make it much easier to ensure strong security settings.

Get started with Blink and strengthen your security processes today.