Modernizing Authentication Management

We're thrilled to announce two key updates to how you manage your authentication experiences! The General Availability of Converged Authentication Methods and Public Preview of a modernized version of multifactor authentication (MFA) Fraud Alert.

The General Availability of Converged Authentication Methods allows all methods used for authentication and password reset to be centrally managed and with more control, providing the ability to target groups of users. 

The Public Preview of modern MFA Fraud Alert brings the configuration into the authentication methods policy and integrates this user-reported signal of suspicious MFA prompts with Identity protection.

Converged Authentication Methods 

Historically, methods had to be managed separately for MFA and self-service password reset. Now, they can both be managed in one policy alongside passwordless methods like FIDO2 security keys and -based authentication. Newly added methods include SMS, Voice Calls, Third-party Software OATH, and Email OTP. 

SHDriggers_0-1678896720146.png

Methods can now be managed more granularly, with the option to enable them for specific groups of users instead of all users and the ability to exclude groups of users from being targeted. This means you can perform actions like trial methods with pilot groups and limit lower security methods like SMS and Voice to smaller groups of users.

SHDriggers_1-1678791449704.png

We've also added a migration control to help you migrate methods from the legacy MFA and self-service password reset policies to the authentication methods policy. The control lets you move and test methods individually, before having to disable methods in the legacy policies. 


SHDriggers_2-1678730621461.png


Later in 2024 we'll be deprecating the ability to manage authentication methods in the legacy policies. As you migrate, we recommend stepping up your security posture by moving away from SMS and Voice , and enabling more secure methods like Microsoft and FIDO2 Security keys, if you haven't already. 

Learn more about managing authentication methods and migrating to the authentication methods policy, and migrate ASAP!

Report Suspicious Activity 

Azure () has had the MFA Fraud Alert feature, which enabled users to report suspicious MFA prompts they received on the Microsoft app or via phone. Users had the option to be added to a block list where the user would no longer receive MFA prompts until removed, a manual task for admins. Administration of Fraud Alert and the blocklist all required Global Admin privileges. We've modernized Fraud Alert with Report Suspicious Activity, moving the configuration for the feature to the authentication methods policy to enable configuration from the same location as other authentication related settings. Now we've integrated the alert events with Identity Protection for more comprehensive and configurable action once a user reports a prompt.

You can enable Report Suspicious Activity, and target either all of your users or an initial test group, via the new Settings in the Authentication methods UX, or via the authentication methods MSGraph API.

SHDriggers_3-1678730621463.png

Once enabled, if a user reports a MFA phone app push notification or voice MFA prompt as suspicious, the user account will be marked with user risk High. You can then use risk-based policies to have greater control over the specific remediation for these users, whether it's requiring immediate password change through self-service password reset, requiring MFA for all until the risk is remediated, or blocking authentication until the risk is remediated.  

SHDriggers_0-1679611522396.png

If you don't have P2, you can also use the risk event to disable the account until the risk can be remediated, for similar functionality to the legacy MFA blocklist.

Report Suspicious Activity will function in parallel with the legacy MFA Fraud Alert during preview, so if you have Fraud Alert enabled with automatic blocking, you'll need to both remediate the risk for users in scope for Report Suspicious Activity as well as remove the user from the MFA blocklist.

Learn more about configuring Report Suspicious Activity and leverage risk-based policies and try Suspicious Activity now.

As always, let us know your feedback.

Best regards,  

Alex Weinert (@Alex_T_Weinert)  

VP Director of Identity Security, Microsoft 

Learn more about Microsoft identity:

 

This article was originally published by Microsoft's Core Infrastructure and Security Blog. You can find the original article here.