How to Enhance Microsoft 365 Tenant’s MFA Effectiveness?

Read time: 5 minutes

Storing data in Office 365 may seem secure, but the looming threats of malware infiltration and deliberate data deletion by users underscore the necessity of data backup. This article highlights typical scenarios that can result in Office 365 data loss, underscoring the critical role of data backup in enhancing security.

In the past year, Microsoft introduced two innovative features aimed at enhancing the performance and security of MFA for Azure AD accounts. These additions not only bolster security measures but also safeguard data against vulnerabilities and attacks, making them instrumental in addressing issues like Office 365 messages stuck in Outlook and similar challenges.

What’s new with MFA?

With a few minutes, any administrator can quickly improve user security using these new features- Number Matching and Additional Context in Multi-factor Authentication.

• Number Matching
  This mechanism is used for password-less authentication. It is the process of double identification. It allows users to enter the exact number from the sign-in screen to the application; only then the authentication will be approved.
• Additional Context
  This feature means the Authenticator app will display extra information while requesting an authentication. At this point, two pieces of information will appear on the screen, including the authentication request and their sign-in location depending on the device’s IP address.

  The device IP address accuracy depends on various factors, but it’s good to have the assurance that the sign-in effort is not from somewhere impossible. For example, if you want to add a shared mailbox in outlook, then the MFA will make sure that no unauthorized user can access it. Additional context combines the sign-in with number matching to give users enough information to understand a complete authentication context.

How to Update Additional Context and Number Matching via Azure AD Admin Center?

In Azure AD settings, you can easily enable additional context and number matching for Authenticator. To do so, follow the below steps:

1. Go to the Authenticator methods blade in the settings.
2. Select Microsoft Authenticator from the menu, and click the “…” option right under Target to reveal the Configure fly-out.
3. Set the value of both the parameters to Show additional context in notifications and Enabled.

Both features will be labeled Preview, and they’ll be available shortly.

Graph Explorer is an alternative option to Azure AD to configure the two features. However, this method is a little more complicated than Azure AD settings.

The Graph API allows you to run multiple queries while underpinning many parts of Microsoft 365. Even if you don’t have Graph API experience, you can still run commands via Graph Explorer to understand how queries work and what they return.

To use Graph Explorer, follow the below steps:

1. 1. Open Graph Explorer on your system and sign in with a tenant administrator account.
   2. Now, add the below query into the command box while choosing the beta endpoint, and click Run.

https://graph.microsoft.com/beta/authenticationMethodsPolicy/authenticationMethodConfigurations/MicrosoftAuthenticator

1. 1. After running this command, you might get an error because Graph Explorer doesn’t have permission to access the Authenticator configuration.
   2. Click Modify Permissions and select Open the permissions panel link to choose Policy.ReadWrite.AutheticationMethod from the set of Graph permissions.
   3. Click Consent, and you’ll find the normal permissions requested dialog to grant the request.
   4. After that, accept the consent request and return to the Graph Explorer.
   5. Now, rerun the query again with the Graph Explorer having the necessary permission. Furthermore, you’ll find the current configuration in the response box.
   6. Copy the JSON-formatted output and paste that text into the request body.
   7. Now, modify the Number Matching Required State value and Display App Information Required State properties to enable.

Note: Make sure you don’t change the formatting or structure of the request body.

1. 1. The Graph Explorer will start running queries by default to return information if you want to update the setting, select PATCH from the drop-down query type list.
   2. Click Run query to make the change to see the response.

After that, you can validate the configuration settings by changing the query type to GET and un the query to see the current configuration.

Anyone can use the above methods to enable number matching. But, you can limit this feature to a specific group or individuals to enhance MFA. To do that, you need to change the Id property from “all_users” to the object identifier of an Azure AD group.
To find the group identifier, you can check the Azure AD admin center and copy the identifier from the group properties.

If you’re finding the methods mentioned above for improving MFA in Microsoft 365 too complex, an alternative is to back up your data and store it locally. However, manually backing up the entire dataset can be time-consuming and laborious. Therefore, opting for an automated solution like Kernel Export Office 365 to PST is recommended. This tool streamlines the backup process, making it quick and straightforward.

It is designed to help you backup Office 365 mailbox data to PST and different formats. It provides two options – Basic Authentication & Modern Authentication – which ensure safe and hassle-free Office login in all situations. Modern Authentication uses 2-factor or multi-factor Authentication and assures the complete security of Office 365 data. The tool is equipped with advanced filters that enable users to backup specific data based on various parameters like date, to, from, type, etc. The tool is available as a trial version for users to help them understand the tool’s functionality.

Final Words

Microsoft is consistently bolstering Office 365 data security through advanced multi-factor authentication (MFA) with an Authentication app. Nevertheless, it remains puzzling why many Microsoft tenants refrain from utilizing MFA to safeguard users. Undoubtedly, MFA offers added security and empowers users to secure Microsoft 365 data. This article sheds light on elevating MFA through number matching and supplementary contextual features.