Azure MFA | Number Matching Enabled by Default - Azure Cloud & AI Domain Blog

Number matching is a key security upgrade to traditional second factor notifications in Microsoft Authenticator. Microsoft will remove the admin controls and enforce the number match experience tenant-wide for all users starting May 8, 2023.

Why use number matching?

The main reason for enabling number matching is to make the Microsoft Authenticator Application more secure. There are many articles available about MFA fatigue attacks. By implementing number matching, we can prevent users from accidentally approving MFA requests. With number matching, the user would have context around the MFA request to make better decisions. If they do not have the number prompt on their computer, they would not be able to approve the MFA request.

What is changing?

We can enable number matching for our users today, there is no need to wait for Microsoft to enable this. In the current state, number matching can be enabled for all Microsoft Authenticator users, or for a select group of Microsoft Authenticator users. Let’s review these settings in the Azure Portal (https://portal.azure.com)

In the Azure Portal, open Azure Active Directory. Select Security on the left-hand menu. On the next windows select Authentication methods and then Policies. Microsoft Authenticator policies can be configured here. This will determine which of your users are allowed to use the Microsoft Authenticator application, and this is also where the number matching settings can be configured.

I’ve selected Microsoft Authenticator and I’m presented with the following window:

The Enable and Target tab allows you to configure which users are allowed to use the Microsoft Authenticator application as an authentication method. In my instance I’ve configured All Users with Any authentication mode. The two modes available are Passwordless and Push. You can still make changes to these settings after 8 May 2023.

You can target specific users or groups and you can add exclusions as required. I can target all users and add an exclusion for some groups of users as an example.

The Configure tab is where you will find the number matching settings as per the image below.

At the moment, these settings shown in the above image can still be changed as needed. You can configure these settings to enable number matching for all the Authenticator Application users, or you can target specific users or groups. This is a great method to test this feature on a few POC users to become familiar with the new process.

After 8 May 2023, you will no longer be able to make changes to these settings. The Status setting will be set to Enabled. The Target section will be set to include All users. As stated, these settings cannot be changed after this date. You will not be able to add any exclusions to the Target setting either.

Which users will be affected?

The changes will only affect Microsoft Authenticator Application users. Users that are currently using other authentication methods such as Phone (SMS/Text) for example will not be affected.

Microsoft will not force all users to start using number matching by default. Number matching will only be enabled by default for Microsoft Authenticator Application users.

New users can still enroll with any authentication method as per your configured policy. If they enroll for Phone authentication, they will continue as normal. When they enroll for Microsoft Authenticator with Push notification, they will use number matching.

Microsoft Authenticator push notification versus code

When settings up the Microsoft Authenticator application for MFA, the default sign in method can be configured in two different ways.

Authenticator app or hardware token – code
Microsoft Authenticator – notification

We refer to Microsoft Authenticator push notification when the default sign-in method is set to “Microsoft Authenticator – notification“. These are the users that will receive the number matching prompt after 8 May 2023.

Users with the default sign-in method set to “Authenticator app or hardware token – code” will not be affected. They will continue to sign in as usual as they will not receive the number matching prompt.

What is the end user experience?

Let us look at the end user experience as this will clarify what exactly to expect in different scenarios.

Phone (SMS/Text) as default authentication method

This user has registered his mobile phone and external email address when he registered for MFA. The default sign-in method is set to Phone.

When this user authenticates and receives the MFA prompt, it will default to text. When number matching is enabled, this user would not be affected. The user will continue authenticating with a text message as usual.

Microsoft Authenticator with code as default sign-in method

This test user has registered his phone (SMS/Text) and also the Microsoft Authenticator Application, which is set to the default authentication method as per image below. Notice it is set to “Authenticator app or hardware token – code” which will prompt the user to enter the code from the Authenticator application.

When this user authenticates and receives the MFA prompt, it will default to the Microsoft Authenticator code prompt. When number matching is enabled, this user would not be affected. The user will continue authenticating with the Microsoft Authenticator code as usual.

Microsoft Authenticator push notification as default sign-in method

This test user has registered his phone (SMS/Text) and also the Microsoft Authenticator Application, which is set to the default authentication method as per image below. Notice it is set to “Microsoft Authenticator – notification” which is the push notification experience.

Current experience without number matching

When this user authenticates and receives the MFA prompt, it will default to the Microsoft Authenticator Application. The user will receive a simple prompt on his mobile to Approve or Deny the request as shown in the images below. This is the current experience without number matching enabled.

New experience with number matching enabled

When the user authenticates and receives the MFA prompt, it will default to the Microsoft Authenticator Application. The user will receive a number prompt at the logon screen and will then be required to enter this number in the Microsoft Authenticator Application to approve the request. This will be the new behavior when number matching is enabled. The user will no longer receive the simple Approve or Deny prompt in the Authenticator Application.

New MFA registrations

New MFA registrations will not be affected. Users can register with any authentication method as per configuration of the Authentication Methods Policies.

Only take note that with number matching enabled, the user will be prompted to complete number matching instead of the Approve or Deny prompt when completing the new registration with the Microsoft Authenticator application.

Manage your sign-in methods

Your sign-in methods can be updated from the Security info page at https://mysignins.microsoft.com.

Here you will be able to update your default sign-in method and also add or remove additional sign-in methods as per the configured administrator policy.

Passwordless sign-in with Microsoft Authenticator

By enabling number matching, you can also enable passwordless sign in for your users. Users will be able to sign into Azure AD without using a password. I will demonstrate how to enable this in my next blog.

Summary

It may seem that there may be a significant impact to your end users when Microsoft enables number matching as default, but when you review the end user experience, you will find that it is not such a big change in your environment.

Only existing or new Microsoft Authentication Application users will be affected. Users with other authentication methods such as Phone (SMS/Text) will not be affected.

Microsoft Authenticator Application users will no longer be able to simply Accept or Deny an authentication request. They will instead need to enter the number presented on the sign in window to authenticate.