Microsoft Authenticator is getting a new update that makes it easier for organizations to better handle the service and roll it out across their business.
New features coming to the tool include the ability for admins to use number matching and more context to make it harder to give accidental approvals. This feature is now arriving in public preview.
Elsewhere, Microsoft Authenticator now allows admins to create GPS locations for Conditional Access policies. Lastly, the service now gives admins the ability to nudge users to setup the Authenticator thanks to a Registration Campaign features. Both these additions are now generally available.
Microsoft launched its Authenticator app back in 2016. The service provides native two-factor authentication on devices when accessing a Microsoft Account. Since the launch, numerous features have been added, including a phone sign-in ability, fingerprint support, password free login, and Apple Watch support.
“Number matching in Microsoft Authenticator MFA experience (Public Preview)
To increase security and reduce accidental approvals, admins can require users to enter the number displayed on the sign-in screen when approving an MFA request in Authenticator.
To learn how to enable number matching, click here.
Additional context in Microsoft Authenticator approval requests (Public Preview)
Another way to reduce accidental approvals is to show users additional context in Authenticator notifications. This feature will show users which application they are signing into and their sign-in location based on IP address.
To learn how to enable additional context click here.
GPS-based Named Locations (Generally Available)
Admins can now use Conditional Access policies to restrict resource access to the boundaries of a specific country by using the GPS signal from the Microsoft Authenticator.
Users with this feature enabled will be prompted to share their GPS location via the Microsoft Authenticator app during sign-in. To ensure the integrity of the GPS location, Microsoft Authenticator will deny authentication if the device is jailbroken or rooted.
To learn more, check out admin documentation, Graph API documentation, and FAQ page.
Microsoft Authenticator Registration Campaign (Generally Available)
Using the Microsoft Authenticator Registration Campaign, you can now nudge users to set up Authenticator and move away from less secure telephony methods. The feature targets users who are enabled for Microsoft Authenticator but have not set it up. Users are prompted to set up Authenticator after completing an MFA sign-in and after the set-up experience their default authentication method is changed to the Microsoft Authenticator app.
To learn how to enable a Registration Campaign, click here.”
Tip of the day: Did you know that as a Windows 10 admin you can restrict user accounts by disabling settings or the control panel? Our tutorial shows how to disable and enable them via Group Policy and the registry.