MC468492 – (Updated) Authenticator number matching to be enabled for all Microsoft Authenticator users (archived)

SharePoint Logo

check before: 2022-12-03

Product:

Azure Active Directory, Entra, Entra ID, Graph API, Microsoft Graph, SharePoint, Windows Server

Platform:

Developer, World tenant

Status:

Change type:

Admin impact, Updated message, User impact

Links:

Details:

Updated June 8, 2023: Number matching is now deployed and enabled for all users of the Microsoft Authenticator app!
Additionally, due a change in the Microsoft Authenticator Authentication method policy, the feature configuration of Application Context and Location Context in tenants may have been impacted. End users were not impacted by this change, but if you made an update to these settings before 5/17 to set them to "disabled", please review your policy. If the policy has been reset to "default" and you'd like to explicitly set the state to be "disabled", you can leverage the UX or MS Graph API to do so. Note: Tenants who have the policy set to "enabled" were not affected by the change.
Microsoft Authenticator app’s number matching feature has been Generally Available since Nov 2022! If you have not already leveraged the rollout controls (via Azure Portal Admin UX and MSGraph APIs) to smoothly deploy number matching for users of Microsoft Authenticator push notifications, we highly encourage you to do so. We had previously announced that we will remove the admin controls and enforce the number match experience tenant-wide for all users of Microsoft Authenticator push notifications starting February 27, 2023. After listening to customers, we will extend the availability of the rollout controls for a few more weeks. Organizations can continue to use the existing rollout controls until May 8, 2023, to deploy number matching in their organizations. Microsoft services will start enforcing the number matching experience for all users of Microsoft Authenticator push notifications after May 8th, 2023. We will also remove the rollout controls for number matching after that date.

Please note that we have changed the expected behavior for NPS extension to be even more admin friendly. NPS versions 1.2.2216.1+ will be released once Microsoft starts to enable number matching for all Authenticator users. These NPS versions will automatically prefer OTP based sign-ins over traditional push notifications with the Authenticator app. An admin can choose to disable this behavior and fallback to traditional push notifications with Approve/Deny by setting the registry key OVERRIDE_NUMBER_MATCHING_WITH_OTP Value = FALSE. Previous NPS extension versions will not automatically switch Authenticator push notification authentications to OTP based authentications. Please refer to the NPS extension section of the number match documentation for further information.
[When this will happen:]

Beginning in May 2023.

Change Category:
XXXXXXX ... free basic plan only

Scope:
XXXXXXX ... free basic plan only

Release Phase:

Created:
2022-11-19

updated:
2023-06-09

Task Type

XXXXXXX ... free basic plan only

Docu to Check

XXXXXXX ... free basic plan only

MS How does it affect me

XXXXXXX ... free basic plan only

MS Preperations

XXXXXXX ... free basic plan only

MS Urgency

XXXXXXX ... free basic plan only

MS workload name

XXXXXXX ... free basic plan only

Pictures

XXXXXXX ... free basic plan only

More Info URL

XXXXXXX ... free basic plan only

MS Blog Link

XXXXXXX ... free basic plan only

** AI generated content. This information is not reliable.

the free basic plan is required to see all details. Sign up here


change history

DatePropertyoldnew
2023-06-09MC MessagesUpdated March 16, 2023: We have updated the timing of this change, below. Thank you for your patience.
Microsoft Authenticator app’s number matching feature has been Generally Available since Nov 2022! If you have not already leveraged the rollout controls (via Azure Portal Admin UX and MSGraph APIs) to smoothly deploy number matching for users of Microsoft Authenticator push notifications, we highly encourage you to do so. We had previously announced that we will remove the admin controls and enforce the number match experience tenant-wide for all users of Microsoft Authenticator push notifications starting February 27, 2023. After listening to customers, we will extend the availability of the rollout controls for a few more weeks. Organizations can continue to use the existing rollout controls until May 8, 2023, to deploy number matching in their organizations. Microsoft services will start enforcing the number matching experience for all users of Microsoft Authenticator push notifications after May 8th, 2023. We will also remove the rollout controls for number matching after that date.
Please note that we have changed the expected behavior for NPS extension to be even more admin friendly. NPS versions 1.2.2216.1+ will be released once Microsoft starts to enable number matching for all Authenticator users. These NPS versions will automatically prefer OTP based sign-ins over traditional push notifications with the Authenticator app. An admin can choose to disable this behavior and fallback to traditional push notifications with Approve/Deny by setting the registry key OVERRIDE_NUMBER_MATCHING_WITH_OTP Value = FALSE. Previous NPS extension versions will not automatically switch Authenticator push notification authentications to OTP based authentications. Please refer to the NPS extension section of the number match documentation for further information.
[When this will happen:]

Beginning in May 2023.
Updated June 8, 2023: Number matching is now deployed and enabled for all users of the Microsoft Authenticator app!
Additionally, due a change in the Microsoft Authenticator Authentication method policy, the feature configuration of Application Context and Location Context in tenants may have been impacted. End users were not impacted by this change, but if you made an update to these settings before 5/17 to set them to "disabled", please review your policy. If the policy has been reset to "default" and you'd like to explicitly set the state to be "disabled", you can leverage the UX or MS Graph API to do so. Note: Tenants who have the policy set to "enabled" were not affected by the change.
Microsoft Authenticator app’s number matching feature has been Generally Available since Nov 2022! If you have not already leveraged the rollout controls (via Azure Portal Admin UX and MSGraph APIs) to smoothly deploy number matching for users of Microsoft Authenticator push notifications, we highly encourage you to do so. We had previously announced that we will remove the admin controls and enforce the number match experience tenant-wide for all users of Microsoft Authenticator push notifications starting February 27, 2023. After listening to customers, we will extend the availability of the rollout controls for a few more weeks. Organizations can continue to use the existing rollout controls until May 8, 2023, to deploy number matching in their organizations. Microsoft services will start enforcing the number matching experience for all users of Microsoft Authenticator push notifications after May 8th, 2023. We will also remove the rollout controls for number matching after that date.

Please note that we have changed the expected behavior for NPS extension to be even more admin friendly. NPS versions 1.2.2216.1+ will be released once Microsoft starts to enable number matching for all Authenticator users. These NPS versions will automatically prefer OTP based sign-ins over traditional push notifications with the Authenticator app. An admin can choose to disable this behavior and fallback to traditional push notifications with Approve/Deny by setting the registry key OVERRIDE_NUMBER_MATCHING_WITH_OTP Value = FALSE. Previous NPS extension versions will not automatically switch Authenticator push notification authentications to OTP based authentications. Please refer to the NPS extension section of the number match documentation for further information.
[When this will happen:]

Beginning in May 2023.
2023-06-09MC Last Updated03/16/2023 19:26:382023-06-09T00:02:49Z
2023-03-17MC MessagesUpdated February 16, 2023: Microsoft Authenticator app’s number matching feature has been Generally Available since Nov 2022! If you have not already leveraged the rollout controls (via Azure Portal Admin UX and MSGraph APIs) to smoothly deploy number matching for users of Microsoft Authenticator push notifications, we highly encourage you to do so. We had previously announced that we will remove the admin controls and enforce the number match experience tenant-wide for all users of Microsoft Authenticator push notifications starting February 27, 2023. After listening to customers, we will extend the availability of the rollout controls for a few more weeks. Organizations can continue to use the existing rollout controls until May 8, 2023, to deploy number matching in their organizations. Microsoft services will start enforcing the number matching experience for all users of Microsoft Authenticator push notifications after May 8th, 2023. We will also remove the rollout controls for number matching after that date.
Please note that we have changed the expected behavior for NPS extension to be even more admin friendly. NPS versions 1.2.2216.1+ will be released once Microsoft starts to enable number matching for all Authenticator users. These NPS versions will automatically prefer OTP based sign-ins over traditional push notifications with the Authenticator app. An admin can choose to disable this behavior and fallback to traditional push notifications with Approve/Deny by setting the registry key OVERRIDE_NUMBER_MATCHING_WITH_OTP Value = FALSE. Previous NPS extension versions will not automatically switch Authenticator push notification authentications to OTP based authentications. Please refer to the NPS extension section of the number match documentation for further information.
[When this will happen:]

Beginning February 27, 2023
Updated March 16, 2023: We have updated the timing of this change, below. Thank you for your patience.
Microsoft Authenticator app’s number matching feature has been Generally Available since Nov 2022! If you have not already leveraged the rollout controls (via Azure Portal Admin UX and MSGraph APIs) to smoothly deploy number matching for users of Microsoft Authenticator push notifications, we highly encourage you to do so. We had previously announced that we will remove the admin controls and enforce the number match experience tenant-wide for all users of Microsoft Authenticator push notifications starting February 27, 2023. After listening to customers, we will extend the availability of the rollout controls for a few more weeks. Organizations can continue to use the existing rollout controls until May 8, 2023, to deploy number matching in their organizations. Microsoft services will start enforcing the number matching experience for all users of Microsoft Authenticator push notifications after May 8th, 2023. We will also remove the rollout controls for number matching after that date.
Please note that we have changed the expected behavior for NPS extension to be even more admin friendly. NPS versions 1.2.2216.1+ will be released once Microsoft starts to enable number matching for all Authenticator users. These NPS versions will automatically prefer OTP based sign-ins over traditional push notifications with the Authenticator app. An admin can choose to disable this behavior and fallback to traditional push notifications with Approve/Deny by setting the registry key OVERRIDE_NUMBER_MATCHING_WITH_OTP Value = FALSE. Previous NPS extension versions will not automatically switch Authenticator push notification authentications to OTP based authentications. Please refer to the NPS extension section of the number match documentation for further information.
[When this will happen:]

Beginning in May 2023.
2023-03-17MC How AffectTo prevent accidental approvals, admins can require users to enter a number displayed on the sign-in screen when approving an MFA request in the Microsoft Authenticator app. This feature is critical to protecting against MFA fatigue attacks which are on the rise.

Another way to reduce accidental approvals is to show users additional context in Authenticator notifications. Admins can now selectively choose to enable the following:
Application context: Show users which application they are signing into.
Geographic location context: Show users their sign-in location based on the IP address of the device they are signing into.

Number match behavior in different scenarios after 27-February 2023:
Authentication flows will require users to do number match when using the Microsoft Authenticator app. If the user is using a version of the Authenticator app that doesn’t support number match, their authentication will fail. Please make sure upgrade to the latest version of Microsoft Authenticator (App Store and Google Play Store) to use it for sign-in.
Self Service Password Reset (SSPR) and combined registration flows will also require number match when users are using the Microsoft Authenticator app.
ADFS adapter will require number matching on versions of Windows Server that support number matching. On earlier versions, users will continue to see the “Approve/Deny” experience and won’t see number matching till you upgrade.
Windows Server 2022 October 26, 2021—KB5006745 (OS Build 20348.320)
Windows Server 2019 October 19, 2021—KB5006744 (OS Build 17763.2268)
Windows Server 2016 October 12, 2021—KB5006669 (OS Build 14393.4704)
NPS extension versions beginning 1.2.2131.2 will require users to do number matching after 27-February 2023. Because the NPS extension can’t show a number, the user will be asked to enter a One-Time Passcode (OTP). The user must have an OTP authentication method (e.g. Microsoft Authenticator app, software tokens etc.) registered to see this behavior. If the user doesn’t have an OTP method registered, they’ll continue to get the Approve/Deny experience. You can create a registry key that overrides this behavior and prompts users with Approve/Deny. More information can be found in the number matching documentation.
Apple Watch – Apple Watch will remain unsupported for number matching. We recommend you uninstall the Microsoft Authenticator Apple Watch app because you have to approve notifications on your phone.
To prevent accidental approvals, admins can require users to enter a number displayed on the sign-in screen when approving an MFA request in the Microsoft Authenticator app. This feature is critical to protecting against MFA fatigue attacks which are on the rise.

Another way to reduce accidental approvals is to show users additional context in Authenticator notifications. Admins can now selectively choose to enable the following:
Application context: Show users which application they are signing into.
Geographic location context: Show users their sign-in location based on the IP address of the device they are signing into.

Number match behavior in different scenarios after May 2023:
Authentication flows will require users to do number match when using the Microsoft Authenticator app. If the user is using a version of the Authenticator app that doesn’t support number match, their authentication will fail. Please make sure upgrade to the latest version of Microsoft Authenticator (App Store and Google Play Store) to use it for sign-in.
Self Service Password Reset (SSPR) and combined registration flows will also require number match when users are using the Microsoft Authenticator app.
ADFS adapter will require number matching on versions of Windows Server that support number matching. On earlier versions, users will continue to see the “Approve/Deny” experience and won’t see number matching till you upgrade.
Windows Server 2022 October 26, 2021—KB5006745 (OS Build 20348.320)
Windows Server 2019 October 19, 2021—KB5006744 (OS Build 17763.2268)
Windows Server 2016 October 12, 2021—KB5006669 (OS Build 14393.4704)
NPS extension versions beginning 1.2.2131.2 will require users to do number matching after May 2023. Because the NPS extension can’t show a number, the user will be asked to enter a One-Time Passcode (OTP). The user must have an OTP authentication method (e.g. Microsoft Authenticator app, software tokens etc.) registered to see this behavior. If the user doesn’t have an OTP method registered, they’ll continue to get the Approve/Deny experience. You can create a registry key that overrides this behavior and prompts users with Approve/Deny. More information can be found in the number matching documentation.
Apple Watch – Apple Watch will remain unsupported for number matching. We recommend you uninstall the Microsoft Authenticator Apple Watch app because you have to approve notifications on your phone.
2023-03-17MC Last Updated02/16/2023 22:28:562023-03-16T19:26:38Z
2023-02-17MC Last Updated02/02/2023 21:38:012023-02-16T22:28:56Z
2023-02-17MC MessagesUpdated February 2, 2023: Microsoft Authenticator app’s number matching feature has been Generally Available since Nov 2022! If you have not already leveraged the rollout controls (via Azure Portal Admin UX and MSGraph APIs) to smoothly deploy number matching for users of Microsoft Authenticator, we highly encourage you to do so. Microsoft will start enabling this critical security feature for all users of the Microsoft Authenticator app beginning February 27, 2023 and remove this feature’s rollout controls after that date.
Please note that we have changed the expected behavior for NPS extension to be even more admin friendly. NPS versions 1.2.2216.1+ will be released once Microsoft starts to enable number matching for all Authenticator users. These NPS versions will automatically prefer OTP based sign-ins over traditional push notifications with the Authenticator app. An admin can choose to disable this behavior and fallback to traditional push notifications with Approve/Deny by setting the registry key OVERRIDE_NUMBER_MATCHING_WITH_OTP Value = FALSE. Previous NPS extension versions will not automatically switch Authenticator push notification authentications to OTP based authentications. Please refer to the NPS extension section of the number match documentation for further information.
[When this will happen:]

Beginning February 27, 2023
Updated February 16, 2023: Microsoft Authenticator app’s number matching feature has been Generally Available since Nov 2022! If you have not already leveraged the rollout controls (via Azure Portal Admin UX and MSGraph APIs) to smoothly deploy number matching for users of Microsoft Authenticator push notifications, we highly encourage you to do so. We had previously announced that we will remove the admin controls and enforce the number match experience tenant-wide for all users of Microsoft Authenticator push notifications starting February 27, 2023. After listening to customers, we will extend the availability of the rollout controls for a few more weeks. Organizations can continue to use the existing rollout controls until May 8, 2023, to deploy number matching in their organizations. Microsoft services will start enforcing the number matching experience for all users of Microsoft Authenticator push notifications after May 8th, 2023. We will also remove the rollout controls for number matching after that date.
Please note that we have changed the expected behavior for NPS extension to be even more admin friendly. NPS versions 1.2.2216.1+ will be released once Microsoft starts to enable number matching for all Authenticator users. These NPS versions will automatically prefer OTP based sign-ins over traditional push notifications with the Authenticator app. An admin can choose to disable this behavior and fallback to traditional push notifications with Approve/Deny by setting the registry key OVERRIDE_NUMBER_MATCHING_WITH_OTP Value = FALSE. Previous NPS extension versions will not automatically switch Authenticator push notification authentications to OTP based authentications. Please refer to the NPS extension section of the number match documentation for further information.
[When this will happen:]

Beginning February 27, 2023
2023-02-17MC End Time04/28/2023 09:00:002023-07-21T09:00:00Z
2023-02-17MC prepareWe highly recommend that you leverage the rollout controls (via Azure Portal Admin UX and MSGraph APIs) to smoothly deploy these features (number match and additional context) for users of the Microsoft Authenticator app.
Learn more at:
Number match documentation
Defend your users from MFA fatigue attacks - Microsoft Community Hub
Advanced Microsoft Authenticator security features are now generally available! - Microsoft Community Hub
https://learn.microsoft.com/azure/active-directory/authentication/how-to-mfa-number-match
https://learn.microsoft.com/azure/active-directory/authentication/how-to-mfa-number-match#nps-extension
https://support.microsoft.com/topic/october-12-2021-kb5006669-os-build-14393-4704-bcc95546-0768-49ae-bec9-240cc59df384
https://support.microsoft.com/topic/october-19-2021-kb5006744-os-build-17763-2268-preview-e043a8a3-901b-4190-bb6b-f5a4137411c0
https://support.microsoft.com/topic/october-26-2021-non-security-update-kb5006745-572c595a-aff6-4976-a961-07aafb257973
https://techcommunity.microsoft.com/t5/microsoft-entra-azure-ad-blog/defend-your-users-from-mfa-fatigue-attacks/ba-p/2365677
If customers don’t enable number match for all Microsoft Authenticator push notifications prior to May 8, 2023, users may experience inconsistent sign-ins while the services are rolling out this change. To ensure consistent behavior for all users, we highly recommend you enable number match for Microsoft Authenticator push notifications in advance.
Learn more at:
Number match documentation
Defend your users from MFA fatigue attacks - Microsoft Community Hub
Advanced Microsoft Authenticator security features are now generally available! - Microsoft Community Hub
https://learn.microsoft.com/azure/active-directory/authentication/how-to-mfa-number-match
https://learn.microsoft.com/azure/active-directory/authentication/how-to-mfa-number-match#nps-extension
https://support.microsoft.com/topic/october-12-2021-kb5006669-os-build-14393-4704-bcc95546-0768-49ae-bec9-240cc59df384
https://support.microsoft.com/topic/october-19-2021-kb5006744-os-build-17763-2268-preview-e043a8a3-901b-4190-bb6b-f5a4137411c0
https://support.microsoft.com/topic/october-26-2021-non-security-update-kb5006745-572c595a-aff6-4976-a961-07aafb257973
https://techcommunity.microsoft.com/t5/microsoft-entra-azure-ad-blog/defend-your-users-from-mfa-fatigue-attacks/ba-p/2365677
2023-02-03MC MessagesMicrosoft Authenticator App’s number matching is Generally Available! Microsoft will start enabling this critical security feature for all users of the Microsoft Authenticator app.

[When this will happen:]
Beginning February 27, 2023
Updated February 2, 2023: Microsoft Authenticator app’s number matching feature has been Generally Available since Nov 2022! If you have not already leveraged the rollout controls (via Azure Portal Admin UX and MSGraph APIs) to smoothly deploy number matching for users of Microsoft Authenticator, we highly encourage you to do so. Microsoft will start enabling this critical security feature for all users of the Microsoft Authenticator app beginning February 27, 2023 and remove this feature’s rollout controls after that date.
Please note that we have changed the expected behavior for NPS extension to be even more admin friendly. NPS versions 1.2.2216.1+ will be released once Microsoft starts to enable number matching for all Authenticator users. These NPS versions will automatically prefer OTP based sign-ins over traditional push notifications with the Authenticator app. An admin can choose to disable this behavior and fallback to traditional push notifications with Approve/Deny by setting the registry key OVERRIDE_NUMBER_MATCHING_WITH_OTP Value = FALSE. Previous NPS extension versions will not automatically switch Authenticator push notification authentications to OTP based authentications. Please refer to the NPS extension section of the number match documentation for further information.
[When this will happen:]

Beginning February 27, 2023
2023-02-03MC TitleAuthenticator number matching to be enabled for all Microsoft Authenticator users(Updated) Authenticator number matching to be enabled for all Microsoft Authenticator users
2023-02-03MC Last Updated11/19/2022 00:57:092023-02-02T21:38:01Z
2023-02-03MC MessageTagNamesUser impact, Admin impactUpdated message, User impact, Admin impact
2023-02-03MC prepareWe highly recommend that you leverage the rollout controls (via Azure Portal Admin UX and MSGraph APIs) to smoothly deploy these features (number match and additional context) for users of the Microsoft Authenticator app.
Learn more at:
Number match documentation
Defend your users from MFA fatigue attacks - Microsoft Community Hub
Advanced Microsoft Authenticator security features are now generally available! - Microsoft Community Hub
https://learn.microsoft.com/azure/active-directory/authentication/how-to-mfa-number-match
https://support.microsoft.com/topic/october-12-2021-kb5006669-os-build-14393-4704-bcc95546-0768-49ae-bec9-240cc59df384
https://support.microsoft.com/topic/october-19-2021-kb5006744-os-build-17763-2268-preview-e043a8a3-901b-4190-bb6b-f5a4137411c0
https://support.microsoft.com/topic/october-26-2021-non-security-update-kb5006745-572c595a-aff6-4976-a961-07aafb257973
https://techcommunity.microsoft.com/t5/microsoft-entra-azure-ad-blog/defend-your-users-from-mfa-fatigue-attacks/ba-p/2365677
We highly recommend that you leverage the rollout controls (via Azure Portal Admin UX and MSGraph APIs) to smoothly deploy these features (number match and additional context) for users of the Microsoft Authenticator app.
Learn more at:
Number match documentation
Defend your users from MFA fatigue attacks - Microsoft Community Hub
Advanced Microsoft Authenticator security features are now generally available! - Microsoft Community Hub
https://learn.microsoft.com/azure/active-directory/authentication/how-to-mfa-number-match
https://learn.microsoft.com/azure/active-directory/authentication/how-to-mfa-number-match#nps-extension
https://support.microsoft.com/topic/october-12-2021-kb5006669-os-build-14393-4704-bcc95546-0768-49ae-bec9-240cc59df384
https://support.microsoft.com/topic/october-19-2021-kb5006744-os-build-17763-2268-preview-e043a8a3-901b-4190-bb6b-f5a4137411c0
https://support.microsoft.com/topic/october-26-2021-non-security-update-kb5006745-572c595a-aff6-4976-a961-07aafb257973
https://techcommunity.microsoft.com/t5/microsoft-entra-azure-ad-blog/defend-your-users-from-mfa-fatigue-attacks/ba-p/2365677

Last updated 2 months ago

Share to MS Teams

Login to your account

Welcome Back, We Missed You!