How to Enhance Microsoft 365 Tenant’s MFA Effectiveness?

Bob Maria
Bob Maria | Updated On - 27 Aug 2022 |

Read time: 5 minutes

Multi-factor authentication (MFA) is one of the biggest cloud and data security innovations. It provides a new security layer to the existing infrastructure, enabling you to protect your information against all odds. Many cloud-based applications like Google, Yahoo, and Microsoft already provide this feature in most of their applications.

Last year, Microsoft released two new features to improve MFA for Azure AD accounts to work better and faster. These new features offer enhanced security and provide protection data against all loopholes and attacks and help in come out of Office 365 messages stuck in Outlook state and other other similar problems.But can you improve the existing MFA for your Microsoft 365 Tenant?

With 30-minutes of work, any administrator can improve user security quickly using these features named – Number Matching and Additional Context.

  • Number Matching
    It is the process of double identification, which means you’ll receive a number to enter into the Authenticator App while going through the MFA challenge. This mechanism is basically used for password-less authentication.
  • Additional Context
    This feature means that the Authenticator app will display extra information while asking for an authentication request. At this point, two pieces of information will appear on the screen, including the authentication request and their sign-in location depending on the device’s IP address.

    The device IP address accuracy depends on various factors, but it’s good to have the assurance that the sign-in effort is not from somewhere impossible. For example, if you want to add a shared mailbox in outlook, then the MFA will make sure that no unauthorized user can access it. Additional context combines the sign-in with number matching to give users enough information to understand a complete authentication context.

How to Update Additional Context and Number Matching via Azure AD Admin Center?

In Azure AD settings, you can easily enable additional context and number matching for Authenticator. To do so, follow the below steps:

  1. Go to Authenticator methods blade in the settings.
  2. Select Microsoft Authenticator from the menu, and click the “…” option right under Target to reveal the Configure fly-out.
  3. Set the value of both the parameters to Show additional context in notifications and Enabled.

Both the features will be labeled as Preview, so they’ll be available in the near future.

How to Update the Authenticator Configuration with the Graph Explorer?

Graph Explorer is an alternative option to Azure AD to configure the two features. However, this method is a little complicated than Azure AD settings.

The Graph API allows you to run multiple queries while underpinning many parts of Microsoft 365. Even if you don’t have experience using Graph API, you can still run commands via Graph Explorer to understand how queries work and what they return.

To use Graph Explorer, follow the below steps:

  1. Open Graph Explorer on your system and sign in with a tenant administrator account.
  2. Now, add the below query into the command box while choosing the beta endpoint, and click Run.
  3. https://graph.microsoft.com/beta/authenticationMethodsPolicy/authenticationMethodConfigurations/MicrosoftAuthenticator

  4. After running this command, you might get an error because the Graph Explorer doesn’t have the necessary permission to access the Authenticator configuration.
  5. Click Modify Permissions and select Open the permissions panel link to choose Policy.ReadWrite.AutheticationMethod from the set of Graph permissions.
  6. Click Consent, and you’ll find the normal permissions requested dialog to grant request.
  7. After that, accept the consent request and return to the Graph Explorer.
  8. Now, run the query again with the Graph Explorer having the necessary permission. Furthermore, you’ll find the current configuration in the response box.
  9. Copy the JSON-formatted output and paste that text into the request body.
  10. Now, modify the value of the Number Matching Required State and Display App Information Required State properties to enabled.
  11. Note: Make sure you don’t change the formatting or structure of the request body.

  12. The Graph Explorer will start running queries by default to return information if you want to update the setting, select PATCH from the drop-down query type list.
  13. Click Run query to make the change to see the response.
  14. After that, you can validate the configuration settings by changing the query type to GET and un the query to see the current configuration.

How to Limit Features to a Specific Group?

Anyone can use the above methods to enable number matching. But, you can limit this feature to a specific group or individuals to enhance MFA. To do that, you need to change the Id property from “all_users” to the object identifier of an Azure AD group.
To find the group identifier, you can check the Azure AD admin center and copy the identifier from the group properties.

Backup Microsoft 365 Data for Better Security

If you find it complicated to use the above methods to enhance MFA in Microsoft 365, you can back up your entire data on your local system. However, you cannot back up the whole data manually because the process can be time-consuming and lengthy. So, the best solution is to use an automated tool like Kernel Office 365 Backup, which allows you to backup entire data quickly with a simple approach.

It is specifically designed to help you back up the entire Office 365/Microsoft 365 mailbox data in various formats, including PST, MSG, EML, etc. It provides two options – Basic Authentication & Modern Authentication – which ensure safe and hassle-free Office login in all situations. Modern Authentication uses 2-factor or multi-factor authentication and assures the complete security of Office 365 data. The tool is equipped with advanced filters that enable users to backup specific data based on various parameters like date, to, from, type, etc. The tool is available as a trial version for users to help them understand the tool’s functionality.

Backup Office 365 software

Final Words

Microsoft is continuously improving the security of Office 365 data with enhanced multi-factor authentication with an Authentication app. However, it is still confusing why most Microsoft tenants don’t use MFA to protect users. There is no doubt that MFA provides additional security to users and definitely allows users to secure Microsoft 365 data. This article highlights how you can enhance MFA with number matching and additional context features.