How to set up number matching in multi-factor authentication notifications

Number matching is a key security upgrade to traditional second factor notifications in Microsoft Authenticator that will begin to be enabled by default for all users starting February 27, 2023. This added feature is an enhancement over the current binary “Approve” or “Reject” method that pops up in the Authenticator app. To set up number matching, there are a couple of prerequisites to have.

Prerequisites

  • Your organisation needs to enable Microsoft Authenticator (traditional second factor) push notifications for users by using the new Authentication methods policy.
  • If your organisation is using AD FS adapter or NPS extensions, upgrade to the latest versions for a consistent experience.

Multifactor authentication

When a user responds to an MFA push notification using the Authenticator app, they will be presented with a number. They need to type that number into the app to complete the approval.

Configuring Number Matching

  • Launch Azure Active Directory
  • Click the Security menu
  • Click Authentication methods
  • In the Authentication methods page, click Policies
  • Under the Methods section, click on Microsoft Authenticator
  • Under Enable and Target, activate the radio button to “Enable
  • Under Target, select either All users or Select groups
  • Save
  • Click the Configure tab
  • Allow use of Microsoft Authenticator OTP is set to Yes
  • Require number matching for push notifications is set to Enabled
  • In the Target section decide if you are applying to All users or Select group
  • Show application name in push and passwordless notifications is set to Enabled
  • In the Target section decide if you are applying to All users or Select group
  • Show geographical location in push and passwordless notifications is set to Enabled
  • In the Target section decide if you are applying to All users or Select group
  • Click the Save button

Testing

This is a lot more secure that SMS or Call options.