Skip to main content

MFA Fatigue Has a Fix, and It Is Already in Your Azure AD Tenant

Nick Ross3 min read

TL;DR

  • Number matching defeats MFA fatigue attacks because an attacker triggering the prompt never sees the number the user would need to type.
  • As of October 2022, number matching and geographic location context for Microsoft Authenticator are both in preview, and Microsoft has stated number matching will become enabled by default in the coming months.
  • Authentication strengths is a Conditional Access control that lets you require phishing-resistant methods like FIDO2 keys for sensitive resources while allowing weaker combinations elsewhere.
  • Attackers who compromise an account commonly register their own MFA method at aka.ms/mysecurityinfo, and the registration and reset events report is where you catch it.
  • The registration details report shows every user's registered MFA, SSPR, and passwordless methods, making 100 percent coverage something you can verify instead of assume.

Enforcing MFA for every user stopped being impressive years ago; it is the baseline. Most MSPs moved customers off the legacy per-user MFA settings to licensing that supports Conditional Access, pointed everyone at Microsoft Authenticator or Duo, and called it done. The problem is what "done" looks like to an attacker: a push notification the user can approve without thinking, which is exactly what MFA fatigue attacks count on.

Azure AD has quietly grown a set of controls that close that gap, and as of October 2022 most tenants have never touched them. MFA in Azure AD keeps evolving quickly, a pace we expect to accelerate with the introduction of Microsoft Entra. Here are five settings worth knowing, grouped by what they actually do for you: two that harden the push prompt itself, one that matches the second factor to what it protects, and two reports that tell you whether any of it is holding.

Harden the push prompt itself

Number matching in Microsoft Authenticator

Number matching prompt in Microsoft Authenticator

What it does: instead of tapping Approve, users type the number shown on their sign-in screen into the Authenticator app to approve an MFA push.

Why it matters: number matching looks like a small change and is a big one. In an MFA fatigue attack, a bad actor with compromised credentials hammers the user with MFA prompts until one gets approved, which is what happened in the recent Uber breach. A tired user can absent-mindedly accept a push. They cannot type a number they never saw, because the number only appears on the attacker's screen, not theirs.

Configure it: Use number matching in multifactor authentication (MFA) notifications (Preview) (opens in new tab)

Worth noting: Microsoft has stated number matching will become enabled by default in the coming months. Turning it on now just means you choose the timing instead of Microsoft.

Geographic location in Microsoft Authenticator

Geographic location context shown in an Authenticator MFA prompt

What it does: users still approve MFA requests, but the prompt shows the geographic location the request is coming from.

Why it matters: same logic as number matching, applied visually. A sign-in prompt from a country your user has never visited is a red flag they can act on in one glance, which makes unauthorized prompts much harder to approve by accident.

Configure it: Use additional context in Microsoft Authenticator notifications (Preview) (opens in new tab)

Match the second factor to what it protects: authentication strengths

Authentication strengths configuration in Conditional Access

What it does: authentication strength is a Conditional Access control that lets administrators specify which combinations of authentication methods can access a resource. Sensitive resource: phishing-resistant methods only. Low-stakes resource: weaker MFA combinations like password plus SMS remain acceptable.

Why it matters: the first two settings prove a point: MFA-enabled users still get compromised. The MSP's real job is finding the mix that raises security without grinding user productivity to a halt, and authentication strengths is exactly that dial. Require FIDO2 keys, Windows Hello, or certificates for the resources that would actually hurt, since those methods hold up far better against man-in-the-middle attacks, and leave lighter methods for everything else. It also gives you a sane answer for corporate resources on personal devices. Combine the stronger methods with a passwordless approach and the attack surface shrinks again.

Configure it: Overview of Azure Active Directory authentication strength (preview) (opens in new tab)

Verify it is actually working: two reports nobody reads

Registration details

Registration details report in Azure AD

This Azure AD report shows, per user:

  • Users registered for MFA
  • Users registered for SSPR
  • Users registered for passwordless
  • Default MFA method used
  • MFA registration methods registered

Why it matters: this is how MFA coverage stops being an assumption. Audit it periodically and you can show 100 percent compliance with the MFA methods your MSP enforces, by name, per user. It also earns its keep in support cases when you are troubleshooting MFA issues.

Where to look: Authentication Methods Activity, registration details (opens in new tab)

Registration and reset events

Registration and reset events report in Azure AD

What it does: shows MFA registration and reset events for up to the past 30 days.

Why it matters: when an attacker compromises an account, a very common next move is registering their own MFA method on it at aka.ms/mysecurityinfo, and if FIDO2 is available in the tenant, they can even enroll their own key. That gives them durable access that survives a password reset. If you suspect a user is compromised, through the Risky Users report or otherwise, this report tells you whether a new registration event occurred recently. If one did: revoke the user's sessions, reset the password, and make them re-register for MFA.

Where to look: Authentication Methods Activity, registration and reset events (opens in new tab)

Frequently asked questions

What is an MFA fatigue attack?

An attacker with compromised credentials floods the user with MFA push prompts until the user approves one out of exhaustion or confusion. The October 2022 Uber breach is a recent example. Number matching blocks it because approval requires typing a number only the legitimate sign-in screen displays.

What should you do if a user shows a suspicious MFA registration event?

Treat the account as compromised: revoke the user's sessions, reset the password, and require them to re-register for MFA.

Do these settings require extra licensing?

The Authenticator features and registration reports work with Azure AD MFA. Authentication strengths is a Conditional Access control, so it requires licensing that includes Conditional Access, such as Azure AD P1.

Is number matching actually on in every tenant you manage?

Knowing the setting exists and proving it is enforced across 40 customers are different jobs. CloudCapsule checks 250+ controls per tenant in about 60 seconds, MFA configuration included.

Run a free scan
Nick Ross

Written by

Nick Ross

CEO · Microsoft MVP · Founder, T-Minus 365

Nick is not just a CEO, he's a respected thought leader and influencer in the MSP space. Tens of thousands of MSPs learn through his YouTube channel, T-Minus365. Nick has been honored as a three-time Microsoft MVP for his educational content; his expertise and influence are the backbone of our mission, ensuring that you are in the best hands when it comes to security.

Nick joined Pax8 in 2017, where he would ultimately oversee product management for PSA and Microsoft integrations. Following his tenure at Pax8, Nick has continued to demonstrate his leadership prowess as an executive at various MSPs, culminating in his most recent role at Sourcepass.

Nick holds a Bachelor's Degree in Business Management from Florida State University, as well as a Minor Degree in Entrepreneurship. In his free time, Nick is an avid hiker, reader, and fitness-junkie.

Keep reading