Control: 5.2.3.1 Ensure Microsoft Authenticator is configured to protect against MFA fatigue
Description
Microsoft provides supporting settings to enhance the configuration of the Microsoft Authenticator application. These settings provide users with additional information and context when they receive MFA passwordless and push requests, including the geographic location of the request, the requesting application, and a requirement for number matching.
Ensure the following are Enabled.
Require number matching for push notificationsShow application name in push and passwordless notificationsShow geographic location in push and passwordless notifications
Remediation
To remediate using the UI:
- Navigate to
Microsoft Entra admin centerhttps://entra.microsoft.com/. - Click to expand
Protection>Authenticationmethods selectPolicies. - Select
Microsoft Authenticator. - Under
Enable and Targetensure the setting is set toEnable. - Select
Configure. - Set the following Microsoft Authenticator settings:
Require number matching for push notificationsStatus is set toEnabled, TargetAll usersShow application name in push and passwordless notificationsis set toEnabled, TargetAll usersShow geographic location in push and passwordless notificationsis set toEnabled, TargetAll users.
Note: Valid groups such as break glass accounts can be excluded per organization policy.
Default Value
Microsoft-managed
Usage
Run the control in your terminal:
powerpipe control run microsoft365_compliance.control.cis_v500_5_2_3_1Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run microsoft365_compliance.control.cis_v500_5_2_3_1 --shareSQL
This control uses a named query:
with tenant_list as ( select distinct on (tenant_id) tenant_id, _ctx from azuread_user),authentication_method_policy as ( select tenant_id, count(*) as authentication_method_policy_count from azuread_authentication_method_policy, jsonb_array_elements(authentication_method_configurations) as cfg where cfg ->> 'id' = 'MicrosoftAuthenticator' and cfg ->> 'state' = 'enabled' and exists ( select 1 from jsonb_array_elements(cfg -> 'includeTargets') as t where t ->> 'id' = 'all_users' ) and cfg -> 'featureSettings' -> 'numberMatchingRequiredState' ->> 'state' = 'enabled' and cfg -> 'featureSettings' -> 'numberMatchingRequiredState' -> 'includeTarget' ->> 'id' = 'all_users' and cfg -> 'featureSettings' -> 'displayAppInformationRequiredState' ->> 'state' = 'enabled' and cfg -> 'featureSettings' -> 'displayAppInformationRequiredState' -> 'includeTarget' ->> 'id' = 'all_users' and cfg -> 'featureSettings' -> 'displayLocationInformationRequiredState' ->> 'state' = 'enabled' and cfg -> 'featureSettings' -> 'displayLocationInformationRequiredState' -> 'includeTarget' ->> 'id' = 'all_users' group by tenant_id)select t.tenant_id as resource, case when authentication_method_policy_count > 0 then 'ok' else 'alarm' end as status, case when authentication_method_policy_count > 0 then t.tenant_id || ' has Microsoft Authenticator enabled and configured with number matching, application name display, and location display enforced for all users to protect against MFA fatigue.' else t.tenant_id || ' does not have Microsoft Authenticator fully configured with number matching, application name display, and location display for all users to protect against MFA fatigue.' end as reason , t.tenant_id as tenant_idfrom tenant_list as t left join authentication_method_policy as p on p.tenant_id = t.tenant_id;