Enable Number Matching for Azure MFA
This is a short guide one how to enable number matching in Azure Active Directory. Number Matching is Microsoft’s latest step in combating MFA fatigue attacks.
Enabling in Azure Portal
1) Log into portal.azure.com with your priviledged account and open Azure Active Directory.
2) On the left side, select Security
.png "Manage")
3) Then under Manage, click Authentication Methods
.png "Authentication Methods")
4) Under Authentication Methods, choose Microsoft Authenticator
.png "Microsoft Authenticator")
5) Now comes the time to configure or re-configure the actual policy. What you have already set may differ from my screenshots. In my example I am creating forcing Microsoft Authenticator to a test Azure AD group. Note that the option to not use number matching is actually disabled, as Microsoft is already enforcing this.
.png "Microsoft Test Group")
.png "Number Matching Enforced")
Testing
Now, with the test user you enabled the policy for, log out and back into something (Office 365, Azure, etc). You should be prompted with a randomly generated number on the application you are signing into. Additionally, you should receive a notification on your mobile device. This will include the text box where you enter the number, along with the geographical location of the sign-in and the application name. If you don’t get prompted to MFA, you may need to wait a while or lower your token expiry length.