Jump to content

Modernizing Authentication Management


Recommended Posts

Guest Alex Weinert
Posted

We’re thrilled to announce two key updates to how you manage your authentication experiences! The General Availability of Converged Authentication Methods and Public Preview of a modernized version of multifactor authentication (MFA) Fraud Alert.

 

 

 

The General Availability of Converged Authentication Methods allows all methods used for authentication and password reset to be centrally managed and with more control, providing the ability to target groups of users.

 

 

 

The Public Preview of modern MFA Fraud Alert brings the configuration into the authentication methods policy and integrates this user-reported signal of suspicious MFA prompts with Identity protection.

 

 

 

Converged Authentication Methods

 

 

Historically, methods had to be managed separately for MFA and self-service password reset. Now, they can both be managed in one policy alongside passwordless methods like FIDO2 security keys and certificate-based authentication. Newly added methods include SMS, Voice Calls, Third-party Software OATH, and Email OTP.

 

 

 

largevv2px999.png.3a989f61bb5ef43f7217768fd1ee110f.png

 

 

 

 

 

Methods can now be managed more granularly, with the option to enable them for specific groups of users instead of all users and the ability to exclude groups of users from being targeted. This means you can perform actions like trial methods with pilot groups and limit lower security methods like SMS and Voice to smaller groups of users.

 

 

 

largevv2px999.png.a9ea544f99dae8996f829da2cabb284f.png

 

 

 

 

 

We’ve also added a migration control to help you migrate methods from the legacy MFA and self-service password reset policies to the authentication methods policy. The control lets you move and test methods individually, before having to disable methods in the legacy policies.

 

 

 

 

 

largevv2px999.png.bffa7f7b167cc0df88617a5106bad0d4.png

 

 

Later in 2024 we’ll be deprecating the ability to manage authentication methods in the legacy policies. As you migrate, we recommend stepping up your security posture by moving away from SMS and Voice , and enabling more secure methods like Microsoft Authenticator and FIDO2 Security keys, if you haven’t already.

 

 

 

Learn more about managing authentication methods and migrating to the authentication methods policy, and migrate ASAP!

 

 

 

Report Suspicious Activity

 

 

Azure Active Directory (Azure AD) has had the MFA Fraud Alert feature, which enabled users to report suspicious MFA prompts they received on the Microsoft Authenticator app or via phone. Users had the option to be added to a block list where the user would no longer receive MFA prompts until removed, a manual task for admins. Administration of Fraud Alert and the blocklist all required Global Admin privileges. We’ve modernized Fraud Alert with Report Suspicious Activity, moving the configuration for the feature to the authentication methods policy to enable configuration from the same location as other authentication related settings. Now we’ve integrated the alert events with Identity Protection for more comprehensive and configurable action once a user reports a prompt.

 

 

 

You can enable Report Suspicious Activity, and target either all of your users or an initial test group, via the new Settings in the Authentication methods UX, or via the authentication methods MSGraph API.

 

 

 

 

 

largevv2px999.png.bced343638d603fc4cee30b8ad869b13.png

 

 

 

Once enabled, if a user reports a MFA phone app push notification or voice MFA prompt as suspicious, the user account will be marked with user risk High. You can then use risk-based policies to have greater control over the specific remediation for these users, whether it’s requiring immediate password change through self-service password reset, requiring MFA for all authentications until the risk is remediated, or blocking authentication until the risk is remediated.

 

 

 

largevv2px999.png.392e9cf3098bbde220ebdf386942ba36.png

 

 

 

If you don’t have P2, you can also use the risk event to disable the account until the risk can be remediated, for similar functionality to the legacy MFA blocklist.

 

 

 

Report Suspicious Activity will function in parallel with the legacy MFA Fraud Alert during preview, so if you have Fraud Alert enabled with automatic blocking, you’ll need to both remediate the risk for users in scope for Report Suspicious Activity as well as remove the user from the MFA blocklist.

 

 

 

Learn more about configuring Report Suspicious Activity and how to leverage risk-based policies and try Suspicious Activity now.

 

 

 

As always, let us know your feedback.

 

 

Best regards, 

 

Alex Weinert (@Alex_T_Weinert) 

 

VP Director of Identity Security, Microsoft 

 

 

 

 

 

Learn more about Microsoft identity:

 

 

Continue reading...

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...