Have you ever wondered why some sign-ins include location information and others don’t? Why sometimes you have to enter a code that is visible in your browser, and sometimes you just have to approve the notification without typing anything? So many unanswered questions! Just kidding. Of course, it all depends on how your company’s MFA service is configured.
Today I will show you how to customize MFA notifications and how to add to them information about the approximate location of the sign-in. Let’s get started!
Why do I need location in notifications?
In fact, why would we want location in Microsoft Authenticator notifications? For full context! Imagine that in the past, Microsoft didn’t require us to enter the code from the browser (number matching option) to confirm sign-in. Without additional details we were blindly accepting new requests!
Unfortunately, this is a drawback of all MFA methods that don’t require us to enter any codes - convenience doesn’t always go hand in hand with security, which is something we need to keep in mind.
Microsoft saw the problem and started requiring users to enter the code displayed in the browser (number matching setting) for push notifications.
Beginning May 8, 2023, number matching is enabled for all Authenticator push notifications. As relevant services deploy, users worldwide who are enabled for Authenticator push notifications will begin to see number matching in their approval requests. Users can be enabled for Authenticator push notifications either in the Authentication methods policy or the legacy multifactor authentication policy if Notifications through mobile app is enabled.
So now after Microsoft has fixed the biggest flaw in push notifications, do we still need location data? In my opinion, yes.
While we are technically unable to accept MFA requests without knowing the code from the other party’s browser, the mere fact that the Microsoft Authenticator displays location as Beijing China, should trigger an employee’s suspicions and lead them to report suspicious activity.
It doesn’t cost us anything either, so why not? 🙂
Note: This is also recommended in CIS Microsoft 365 Foundations.
Configuration
How can I turn on the map in notifications?
Navigate to: Entra admin center -> Protection -> Authentication methods -> Policies and select Microsoft Authenticator.
To edit the default MFA configuration, you need to enable the service - switch on the setting and go to the Configure tab.
Now it’s time for a quick check of our settings! We have the following options:
- Allow use of Microsoft Authenticator OTP - whether to allow sign-in with 6-digit one-time passcodes (enabled by default).
- Require number matching for push notifications - the previously mentioned setting (enabled and cannot be changed).
- Show application name in push and passwordless notifications - whether to show the name of the application we are signing into (disabled by default).
- Show geographic location in push and passwordless notifications - this is our setting to show the sign-in location details (disabled by default - SET IT TO ON).
- Microsoft Authenticator on companion applications - some applications can act as our MFA application. After enabling this setting, we will confirm new sign-ins in e.g. Microsoft Outlook. For screenshots and details of this setting see the documentation.
The Microsoft managed config means that control of the particular setting is handed over to Microsoft - the actual value/status may vary depending on the exact option.
Typically, when a feature is in preview, the setting is turned off. Once it enters General Availability (GA), after some time Microsoft enables the setting for everyone. I recommend that you set the values yourself to avoid possible surprises in the future.
Click the Save button and let’s start testing!
Tests
There’s not much to test here, just sign in to any Microsoft 365 app and wait for a new notification in Microsoft Authenticator.
Default MFA notification in Microsoft Authenticator without additional configuration in Entra admin center.
MFA notification in Microsoft Authenticator after enabling Show geographic location in push and passwordless notifications.
Success - the map with the details of the location is now visible in the MFA notifications!
BTW: The application name is also displayed, but this is due to the Show application name in push and passwordless notifications setting.
There is something wrong with this location…
Yeah, because this is just an approximate location based on your IP address. You won’t get 100 meter accuracy here. On the other hand, it’s probably a good thing that browsers don’t tell Microsoft your exact location.
Experiment
Use any website that provides geolocation (by entering a public IP address) to verify that the location from the MFA notification matches your actual location.
Works for me. However, the city name may vary depending on the service where we validate our IP.
Note
If you sign in from a mobile phone or a virtual machine in Azure such as within Azure Virtual Desktop (AVD), the location details in the alert will be different from your home computer. Don’t be surprised if you see a different city or country e.g. Germany, because you are logging in from a different IP address.
Bonus
Did you know that your employees can view their sign-in history and see exactly where and when they signed in to Microsoft 365 services? This information is available in the My Sign-Ins portal.
I see nothing suspicious in my sing-in history.
Conclusion
Not all security improvements that you can implement are complicated and require long and tedious setup. Sometimes they’re small tweaks like today’s map in MFA notifications - they seems insignificant but add tremendous value to your business.
Now it’s your turn to configure settings 🙂
Until next time.