Categories
Azure-AD Conditional Access Identity Passwordless

How to enable MFA Code Matching & Context in Azure AD Portal (Public Preview)

Microsoft have now released a new(ish) MFA method that will be available for both users running Passwordless and regular authentication combined with MFA/Conditional Access, currently in Public Preview.
With the new code matching, users will be required to type in a code within the Microsoft Authenticator app, that will be presented by Microsoft when the end-user needs to verify their identity with an MFA challenge (or as a first step when running passwordless).
The authenticator app could also give you some context to the MFA Challenge, it will inform you about the application and location of the sign-in you are about to verify if you choose to enable it.
Its now possible to enable and configure this in the Azure AD Portal, earlier you needed to enable it through GRAPH.

Example of end-user experience

Sign-in attempt (I guess Microsoft will update this view before the feature will reach GA)


Experience in the authenticator app with code matching and context enabled

This MFA method will require more attention from the end-user, but will also reduce the possibility where users accidentally approves an MFA challenge through an PUSH notification, where they simply only needs to press “Approve”.
Now the user will need to have the code in front of them, and the user will be presented with some context about the sign-in.

How to enable Code Matching with context for all users

Follow the steps below to enable code matching for all users:

1. Open Azure Active Directory

2. Open Security

3. Open Authentication Method

4. Select Microsoft Authenticator

5. Click on the three dots, and select “Configure”

6. Set Authentication mode to “Any” enable both “Require number matching” and “Show additional context in the notification”

Please note that with the settings above, code matching will be required for all users who is using Microsoft Authenticator app as their primary MFA Method. In an production environment, you should wait for the feature to be released in GA and make sure to both implement step-by-step and make sure to communicate the change to the organization as always.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s