Enforcing Push Notifications in Microsoft Authenticator [CHK-1161]
This check verifies if push notifications are enforced as the multi-factor authentication (MFA) method in Microsoft Authenticator, instead of one-time passwords (OTP).
Rationale
Microsoft Authenticator provides additional information about a sign-in attempt when push notifications are used as the MFA method. This helps users recognize and report phishing attacks. These features are not available when using OTPs, making the user unnecessarily vulnerable.
Fix
An automated fix is available through Attic.
Manual steps:
- Navigate to the Microsoft Entra admin center at https://entra.microsoft.com
- Go to Protection > Authentication methods
- Click on Microsoft Authenticator
- Click on Configure
- Set the option Allow use of Microsoft Authenticator OTP to No
- Click on Save
Impact
Enforcing push notifications for MFA in Microsoft Authenticator enhances user security by providing additional information about sign-in attempts and enabling users to report phishing attacks.