MFA Authenticator: FOREVER!

MFA Authenticator: FOREVER!

This blog will be about some nice new additions to the MFA authenticator app. I just love the Required numbers part and now we can combine it with some nice MFA location information.

I will divide this blog into multiple parts

  1. Introduction to MFA
  2. The 2 things that are(were) missing
  3. Details about we are going to change
  4. Automating it!
  5. The PowerShell Script
  6. Enable these previews with the GUI
  7. Results

1.Introduction to MFA

I guess everyone now has MFA enabled for all their users, right? But why not step it up a notch because a way better option is to enable the Passwordless option like shown in this (older) blog:

I enabled that option immediately, luckily this option is now also available for outlook.com / Microsoft accounts

But at first use, I had the idea it was missing something. Like some more details about the location from where I was logging in and a more secure way to acknowledge the number instead of just approving it!

Let me explain some more, because in the past when you were receiving this MFA number question, you only needed to click on the right one and nothing more… like shown below

*Source: Aanmelden zonder wachtwoord met de Microsoft Authenticator app – Azure Active Directory | Microsoft Docs

2.The 2 Things that are (were) Missing

So I am missing some things, let me explain them some more.

The First one:

Like I told you in the introduction, I am/was missing some security. Wouldn’t it be better when getting the MFA prompt, that you need to enter the number manually instead of just selecting one of the 3 options you get? Because it doesn’t take much thinking when you just click on the number and approve…

The Second one:

Sometimes you could get bothered with some ghosts MFA prompt. When an employee would receive an MFA prompt when he wasn’t expecting it, he normally should need to contact the IT department to check it.

Here is the WHY, he/she would need to do that. When you are not using the passwordless option and you are suddenly receiving a not expected MFA prompt it could mean that when it’s a real attack, the attacker has your credentials! And that is something that really not be looked at and be taken slightly!

So wouldn’t it be better for the end-user he could get some more information about the MFA prompt instead of needing to immediately contact the IT department to check it out?

So let’s take a look at how we could make sure these 2 are going to be taken care of.

3.Details about what we are going to change

Before showing you the script we need to take a look at some details first. When do we want to enable that great possibility to require matching numbers and the possibility to show the user some more location information, we could use the Azure Authentication Method menu blade, right?

But unfortunately, these 2 options aren’t available in the MFA portal yet.

https://portal.azure.com/#blade/Microsoft_AAD_IAM/AuthenticationMethodsMenuBlade/AdminAuthMethods

A little (maybe big) warning!! of course, configuring these options are still in preview and not (yet) to be used in production! So please beware.

But let’s skip that warning and go forth. We need to check out the default settings first, with GRAPH. We need to use GRAPH to do so because the settings aren’t available in the Azure portal like I showed above. Let’s take a look at the default settings first.

You will find these settings in the GRAPH Uri:

https://graph.microsoft.com/beta/policies/authenticationMethodsPolicy/authenticationMethodConfigurations/microsoftAuthenticator

“displayAppInformationRequiredState “: “default”,

“numberMatchingRequiredState”: “default”

So both of these 2 settings are configured to “default”, I guess that just means off 🙂

4.Automating it

Of course, we can do it with Graph Explorer, but why not add it to your tenant enrollment script when it is no longer in preview.

Prerequisites. You will need to have created an app registration with some API permissions. So please add them first

Afbeelding met tekst  Automatisch gegenereerde beschrijving

Click on Microsoft Graph and Application Permissions

Afbeelding met tekst  Automatisch gegenereerde beschrijving

Search for Policy.ReadWrite.AuthenticationMethod and add them

When the required permission is added, don’t forget to consent

5.The PowerShell Script

Now fire up a PowerShell script and copy-paste this content in it to change those values. Of course, you need to change the details of the App to your own app

#configure APP Details here. 

$clientid = "*"
$secret = "*"
$tenantid = "*"

#get the token
$token = Get-MsalToken -ClientId $clientid -ClientSecret (ConvertTo-SecureString $secret -AsPlainText -Force) -TenantId $tenantid -Scope 'https://graph.microsoft.com/.default'
$headers1b = @{
            'Content-Type'='application/json'
          'Authorization'="Bearer " + $token.AccessToken
         'ExpiresOn'=$token.ExpiresOn
          }


$apiurl = "https://graph.microsoft.com/beta/policies/authenticationMethodsPolicy/authenticationMethodConfigurations/microsoftAuthenticator"


$data = @'
{"@odata.context":"https://graph.microsoft.com/beta/$metadata#authenticationMethodConfigurations/$entity","@odata.type":"#microsoft.graph.microsoftAuthenticatorAuthenticationMethodConfiguration","id":"MicrosoftAuthenticator","state":"enabled","includeTargets@odata.context":"https://graph.microsoft.com/beta/$metadata#policies/authenticationMethodsPolicy/authenticationMethodConfigurations('MicrosoftAuthenticator')/microsoft.graph.microsoftAuthenticatorAuthenticationMethodConfiguration/includeTargets","includeTargets":[{"targetType":"group","id":"all_users","isRegistrationRequired":false,"authenticationMode":"any","outlookMobileAllowedState":"default","displayAppInformationRequiredState":"enabled","numberMatchingRequiredState":"enabled"}]}
'@

$Data = Invoke-RestMethod -Headers $headers1b -Uri $apiUrl -Body $data -Method patch -ContentType 'application/json'

Looking at the script above, please beware of the “patch” method. Normally I am used to just putting something, somewhere but this time I needed to patch it up!

6. Enable these previews with the GUI

Of course when you don’t want to use Powershell but just want to enable the “Require number Matching” or/and the “Show Additional Context in notifications” you also could just open portal.azure.com

Click in “security” –> “Authentication Methods” –> Select the (of course) “Microsoft Authenticator App” And click on configure at the “all users” assignment

And look at here!! my ow my… Just enable it all. Again it’s in preview…. but who cares 🙂 it’s just so nice to see how easy you can enable these nice additions to the MFA Authenticator

6. Results

numberMatchingRequiredState (Require Number Matching)

So how does it look like when you configured the numberMatchingRequiredState value to enabled, to make sure you need to enter the number instead of just approving it!

displayAppInformationRequiredState (Show additional context in notifications)

Of course not to forget the displayAppInformationRequiredState, let’s take a look at how wonderful that one looks like and combine it with the required number adjustment

And yes for the people looking at the details… my battery is draining very very fast.

Conclusions

I did love the MFA authenticator already, but with these kinds of improvements, I guess I am deeply in love with it! I can’t wait to enable them in all the production environments when it’s out of preview!

Because when you have enabled these options it will give you a more secure environment as it eliminates accidental MFA approvals and will give you some more location insights when you are targetted by an attack on your password.

So Wakan…. uhhh…. MFA authenticator FOREVER!

Forever love perfeito love GIF - Find on GIFER

When posting this blog it is was Sunday… so if you do want to do some more Sunday reading here are some nice ones for you!

2 thoughts on “MFA Authenticator: FOREVER!

  1. Great solution and thanks for sharing. If it’s possible, can you please also publish the English version of the screenshots?

Leave a Reply

Your email address will not be published. Required fields are marked *

7  +  3  =