Microsoft Technical Bulletins

The latest updates for all the Microsoft Products you use every day.

Microsoft Identity Service Curtain Reveal Tech Bulletin Header

Written by Q

In a world where information technology has become complex and untenable we remove all your frustrations dealing with the overwhelming complications by simplifying technology decisions, budget management and implementation.

Categories: Identity Service

Tags: Admin Impact | Major Update | User Impact

January 31, 2023

Blog Home

Authenticator number matching to be enabled for all Microsoft Authenticator users

Identity Service, Microsoft 365 Experts

From Microsoft Corporation
Technical Bulletin MC468492 · Published Nov 18, 2022

Message Summary

Microsoft Authenticator App’s number matching is Generally Available! Microsoft will start enabling this critical security feature for all users of the Microsoft Authenticator app.

When this will happen:

Beginning February 27, 2023

How this affects your organization:

To prevent accidental approvals, admins can require users to enter a number displayed on the sign-in screen when approving an MFA request in the Microsoft Authenticator app. This feature is critical to protecting against MFA fatigue attacks which are on the rise.

Another way to reduce accidental approvals is to show users additional context in Authenticator notifications. Admins can now selectively choose to enable the following:

  • Application context: Show users which application they are signing into.
  • Geographic location context: Show users their sign-in location based on the IP address of the device they are signing into.

Authenticator number matching
View image in new tab

Number match behavior in different scenarios after 27-February 2023:

  1. Authentication flows will require users to do number match when using the Microsoft Authenticator app. If the user is using a version of the Authenticator app that doesn’t support number match, their authentication will fail. Please make sure upgrade to the latest version of Microsoft Authenticator (App Store and Google Play Store) to use it for sign-in.
  2. Self Service Password Reset (SSPR) and combined registration flows will also require number match when users are using the Microsoft Authenticator app.
  3. ADFS adapter will require number matching on versions of Windows Server that support number matching. On earlier versions, users will continue to see the “Approve/Deny” experience and won’t see number matching till you upgrade.
    • Windows Server 2022 October 26, 2021—KB5006745 (OS Build 20348.320)
    • Windows Server 2019 October 19, 2021—KB5006744 (OS Build 17763.2268)
    • Windows Server 2016 October 12, 2021—KB5006669 (OS Build 14393.4704)
  4. NPS extension versions beginning 1.2.2131.2 will require users to do number matching after 27-February 2023. Because the NPS extension can’t show a number, the user will be asked to enter a One-Time Passcode (OTP). The user must have an OTP authentication method (e.g. Microsoft Authenticator app, software tokens etc.) registered to see this behavior. If the user doesn’t have an OTP method registered, they’ll continue to get the Approve/Deny experience. You can create a registry key that overrides this behavior and prompts users with Approve/Deny. More information can be found in the number matching documentation. 
  5. Apple Watch – Apple Watch will remain unsupported for number matching. We recommend you uninstall the Microsoft Authenticator Apple Watch app because you have to approve notifications on your phone.

What you can do to prepare:

We highly recommend that you leverage the rollout controls (via Azure Portal Admin UX and MSGraph APIs) to smoothly deploy these features (number match and additional context) for users of the Microsoft Authenticator app.

Learn more at: 

Additional information

Blog

TECHNICAL BULLETIN END

QuixTec provides this and other technical bulletins unaltered from Microsoft. As an authorized Microsoft Partner, we ensure that all our solutions we deliver to you include the latest Microsoft updates.

ABOUT US: QuixTec, LLC is a U.S. certified Veteran Owned, modern DevOps organization with experience in a plethora of IT Software Languages.  As a Microsoft Partner, we specialize in Discounted Microsoft Software Licensing, Microsoft SharePoint, Microsoft365 and HTML5 technologies for small to enterprise-sized organizations. Our dedication to IT excellence is evidenced through our PECB ISO Certification training center. The only PECB ISO authorized center in Washington State. QuixTec, implements and provides training for upcoming open-source digital marketing services that are taking the industry by storm. This solution, used by over 100,000 businesses, provides enterprise level marketing capabilities at startup rates. The founder, Richard, has 30 years of experience working with several notable companies that include World Vision, Expedia, Microsoft, Levi Strauss, NASA, Boeing Aerospace, Los Alamos National Laboratory, and the U.S. Air Force, to name a few.  QuixTec is in the Seattle area. Phone today for a free consultation and project estimate.

(425) 367-9025

LEARN MORE

SharePoint Development ServicesSharePoint Development - SharePoint Consultancy ServicesCustom Solution Development - Microsoft 365 Experts - Microsoft 365 - IT Staffing Services - WordPress Development Services - Form Email Validation - Microsoft Licensing - Mautic Open Source MarketingBest IT Staffing AgenciesIT Staffing Company  - PECB ISO Training and Certification

BLOG HOME

You May Also Like…

New My Groups Experience

New My Groups Experience

Mar 14, 2023

MC522581, Identity Service, SharePoint Development Services From Microsoft CorporationTechnical Bulletin: MC522581 · Published Mar 2, 2023 Message Summary We will be replacing the existing My Groups experience at mygroups.microsoft.com...