Azure MFA – Enable Location Information

By Nicklas AhlbergAzure, Identity, Security

So, this is a good one! Mistakes such as approving a rogue MFA request is easily made and that is where location information and matching number comes to play. This makes it easier for us to identify a rogue MFA request (initiated by a bad actor).

❗ First things first… note that this feature is still in preview – so use it wisely in a lab environment.
Official MS documentation is found here: Use additional context in multifactor authentication (MFA) notifications (Preview) – Azure Active Directory | Microsoft Docs

Let’s rock enroll

Initially we only had one way to enable location info and matching numbers (Graph) but now we can do it directly from the Azure portal. We will cover both methods below.

Method 1 (use the Azure portal)

  1. Open: Azure portal
  2. Navigate to: Azure Active Directory -> Security -> Authentication Methods -> Microsoft Authenticator
  3. Click: Yes
  4. Target: Pick at least one user/group or use All users
  5. Now click the three dots and Configure
  6. Authentication mode: Any (this will allow the settings to be applied to both password-less and push authentications
  7. Require number matching (preview): Enabled
  8. Require Show additional context in notifications (preview): Enabled
  9. Click: Done
  10. Click: Save

Method 2 (use Graph Explorer)

  1. Head over to MS Graph Explorer: https://aka.ms/ge
  2. Click: Sign in to Graph Explorer (use an admin account)

  3. Now we need to switch the schema from v1.0 to beta

  4. Note how the URL changes from v1.0 to beta

  5. Paste this URL in the URL box
    https://graph.microsoft.com/beta/policies/authenticationMethodsPolicy/authenticationMethodConfigurations/microsoftAuthenticator
  6. Click: Run query
  7. If you get the “Forbidden – 403. You need to consent the permissions…” error, step 8 – otherwise skip to step 11
  8. Click: Modify permissions (Preview)
  9. The required permission(s) should be visible, have a look at them and click Consent
  10. Click: Run query again to make sure the error message is done and that we get a good response
  11. Copy the response and paste it into the request body and change both displayAppInformationRequiredState and numberMatchingRequiredState to enabled
  12. Now all we need to do is change from GET to PATCH and click Run query

That’s it! Two fairly easy methods to enable strong and very much needed features to our beloved Microsoft Authenticator app 😍

Leave a Reply

Your email address will not be published. Required fields are marked *


The reCAPTCHA verification period has expired. Please reload the page.