How to improve Microsoft Entra MFA security

It’s necessary to protect your organization and have strong security to prevent MFA fatigue. That’s why you need to increase and improve MFA security for the tenant. To secure your MFA sign-ins, enable the features number matching, application name, and geographic location. In this article, you will learn to increase and improve Microsoft Entra MFA security in your Microsoft 365 tenant.

Configure MFA in Microsoft Entra

Before you start, you need to Configure MFA in Microsoft Entra with Conditional Access policy. Otherwise, the user or users will not have MFA security enabled correctly, and the below MFA security configuration will not work.

Microsoft Entra MFA Security best practices

Enable the following three options in Microsoft Entra to increase and improve your Microsoft Entra MFA security:

1. Require number matching for push notifications
   When a user gets a notification to enter the number in the Microsoft Authenticator app.

2. Show application name in push and passwordless notifications
   The user receives a passwordless phone sign-in or MFA push notification in Microsoft Authenticator. They will see the application’s name that requests approval from where the sign-in is made.

3. Show geographic location in push and passwordless notifications
   The user receives a passwordless phone sign-in or MFA push notification in Microsoft Authenticator. The user will see a geographic location map that requests approval from where the sign-in is made.

Let’s see how to enable these three features in the next step.

Enable Microsoft Authenticator for all users

To enable Microsoft Authenticator in Microsoft Entra admin center, follow the below steps:

1. Sign in to Microsoft Entra admin center
2. Expand Protection > Authentication methods
3. Click Policies
4. Click Microsoft Authenticator

5. Click the tab Enable and Target
6. Enable > On
7. Click the tab Include
8. Select All users
9. Authentication mode > Any

10. Click the tab Configure
11. Allow use of Microsoft Authenticator OTP > Yes

12. Go to each one of the features:

• Show application name in push and passwordless notifications
• Show geographic location in push and passwordless notifications
• Microsoft Authenticator on companion applications

Change the below settings for all three features:

• Status > Enabled
• Target: Include > All users

13. Click Save

14. The policy was successfully saved notification appears, and the Microsoft Authenticator method shows the target (all users) and status (enabled)

It’s always essential to test the configuration once it’s active. Let’s look into that in the next step.

Check Microsoft Entra MFA security configuration

To ensure you enabled all three Microsoft Authenticator features correctly, follow the steps below:

1. Sign in to Microsoft Office
2. Type your user account and password
3. Click Sign in

4. A random number will display, which you need to enter in the Authenticator app

5. Enter the number in the Authenticator app
6. Tap on Yes

7. You successfully signed in to your Microsoft 365 account with Microsoft Entra MFA security protection enabled

That’s it!

Read more: How to save sent items in shared mailbox »

Conclusion

You learned how to increase and improve Microsoft Entra MFA security. We recommend enabling number matching, application name, and geographic location to protect your organization.

Did you enjoy this article? You may also like Create unlimited Client Secret in Microsoft Entra ID. Don’t forget to follow us and share this article.