Detections
Analytics

1.1.5 Ensure Microsoft Authenticator is configured to protect against MFA fatigue

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version

Information

Microsoft has released additional settings to enhance the configuration of the Microsoft Authenticator application. These settings provide additional information and context to users who receive MFA passwordless and push requests, such as geographic location the request came from, the requesting application and requiring a number match.

Ensure the following are Enabled.

Require number matching for push notifications

Show application name in push and passwordless notifications

Show geographic location in push and passwordless notifications

NOTE: As February 27, 2023 Microsoft will start enforcing number matching tenant-wide for all users using Microsoft Authenticator

Rationale:

As the use of strong authentication has become more widespread, attackers have started to exploit the tendency of users to experience 'MFA fatigue.' This occurs when users are repeatedly asked to provide additional forms of identification, leading them to eventually approve requests without fully verifying the source. To counteract this, number matching can be employed to ensure the security of the authentication process. With this method, users are prompted to confirm a number displayed on their original device and enter it into the device being used for MFA. Additionally, other information such as geolocation and application details are displayed to enhance the end user's awareness. Among these 3 options, number matching provides the strongest net security gain

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

To configure Microsoft Authenticator to protect against MFA fatigue:

Navigate to the Microsoft Entra admin center https://entra.microsoft.com.

Browse to Azure Active Directory > Protect & Secure > Authentication methods

Select Microsoft Authenticator

Under Enable and Target ensure the setting is set to Enable.

Select Configure

Set the following Microsoft Authenticator settings:

Require number matching for push notifications Status is set to Enabled, Target All users

Show application name in push and passwordless notifications is set to Enabled, Target All users

Show geographic location in push and passwordless notifications is set to Enabled, Target All users

See Also

https://workbench.cisecurity.org/benchmarks/10751

Item Details

Plugin: microsoft_azure

Control ID: e80c270c8fc2f209e8373dab486fdb6ed5066a7bbab7c6d228a4b2b35c85b1b2