Increase and improve Azure MFA security

It’s necessary to protect your organization and have strong security to prevent MFA fatigue. That’s why you need to increase and improve Azure MFA security for the tenant. To secure your MFA sign-ins, enable the features number matching, application name, and geographic location. In this article, you will learn the Microsoft 365 MFA security best practices to secure your Microsoft 365 tenant.

Configure MFA in Azure or Microsoft 365

Before you start, you need to configure MFA in Azure or Microsoft 365. Otherwise, the user or users will not have MFA security enabled correctly, and the below MFA security configuration will not work.

Go through one of the below articles to enable MFA:

1. Configure Azure AD MFA
2. Configure per-user MFA in Microsoft 365

We suggest you use method 1 and configure Azure AD Multi-Factor Authentication. But it requires having Azure AD Premium plan 1 or 2.

Note: You can enable MFA for a single user or all users in both methods. We recommend to enable MFA for all users and only exclude service accounts.

Azure MFA Security best practices

Enable the following three options in Azure AD to increase and improve your Azure MFA security:

1. Require number matching for push notifications
   When a user gets a notification to enter the number in the Microsoft Authenticator app.

2. Show application name in push and passwordless notifications
   The user receives a passwordless phone sign-in or MFA push notification in Microsoft Authenticator. They will see the application’s name that requests approval from where the sign-in is made.

3. Show geographic location in push and passwordless notifications
   The user receives a passwordless phone sign-in or MFA push notification in Microsoft Authenticator. The user will see a geographic location map that requests approval from where the sign-in is made.

Let’s see how to enable these three features in the next step.

Enable Azure MFA security options

To enable the options in Azure AD, follow the below steps:

1. Sign in to Microsoft Azure Portal
2. Expand Menu and click on Azure Active Directory

3. Scroll down and click on Security

4. Click on Authentication methods

5. Click on Policies
6. Click on Microsoft Authenticator

7. Click on Enable and Target tab
8. Enable > On
9. Target: Include > All users
10. Authentication mode > Select Any

11. Click on the Configure tab

12. Go to each one of the features:

• Require number matching for push notifications
• Show application name in push and passwordless notifications
• Show geographic location in push and passwordless notifications

Change the below settings for all three features:

• Status > select Enabled
• Target: Include > All users

13. Click Save

14. The policy was successfully saved notification appears, and the Microsoft Authenticator method shows the target (all users) and status (enabled)

It’s always essential to test the configuration once it’s active. Let’s look into that in the next step.

Test Azure MFA security configuration

To ensure you enabled all three Microsoft Authenticator features correctly, you can test by following the steps below:

1. Sign in to Microsoft Office
2. Type your user account and password
3. Click Sign in

4. A random number will display, which you need to enter in the Authenticator app

5. Enter the number in the Authenticator app
6. Tap on Yes

7. You successfully did sign into your Microsoft 365 account with Azure MFA security protection enabled

That’s it!

Read more: Save sent items in shared mailbox »

Conclusion

You learned how to increase and improve Azure AD MFA security. We recommend enabling number matching, application name, and geographic location to protect your organization.