Nudging users to adopt Microsoft Authenticator using registration campaigns

As usual when a new Microsoft Graph endpoint is released, I do some digging using Graph Explorer. Not rocket science, but some times I find very interesting stuff, and this time I have found something.

Let’s say you have 1000 users curretly using SMS for Multi-Factor Authentication, and you want to get them to use the Microsoft Authenticator app instead. What do you do? Do you send out emails, checking the current rollout status using the microsoftAuthenticatorAuthenticationMethod endpoint of each user? Sure, today you do, but there is a secret feature available that some time in the future will help you out. Registration campaigns!

So, how do I know this? Well, it is easy, I queried the https://graph.microsoft.com/beta/authenticationMethodsPolicy endpoint and found the following:

What this essentially is, is a campaign that can remind users (in this case all users) to use the Microsoft Authenticator method, instead of others means of MFA! What you see is the default configuration, and my users aren’t getting any campaign stuff, so let’s try to enable it somehow by PATCH’ing https://graph.microsoft.com/beta/authenticationMethodsPolicy with state = “enabled” (which seems logical, right?):

PATCH https://graph.microsoft.com/beta/authenticationMethodsPolicy
{
    "registrationEnforcement": {
        "authenticationMethodsRegistrationCampaign": {
            "snoozeDurationInDays": 1,
            "state": "enabled",
            "excludeTargets": [],
            "includeTargets": [
                {
                    "id": "all_users",
                    "targetType": "group",
                    "targetedAuthenticationMethod": "microsoftAuthenticator"
                }
            ]
        }
    }
}

You will need the ‘Policy.ReadWrite.AuthenticationMethod’ scope, and it will not succeed:

The previous GET now returns “Enabled”:

After this I actually found the resource types in question are already documented!

So, let’s test it out. I have a user already enrolled to MFA using SMS:

Let’s test it out after enabling the campaign:

After signing in normally with the already configured SMS method, we see a new “Improve your sign-ins” screen!

Clicking Next sends us to a quite regular Microsoft Authenticator registration screen:

Notice that the Microsoft Authenticator is now set as the default sign-in method – and we are in:

We just targeted the registration campaign to all of our users, which might not be such a good idea. Looking at the documentation we can easily target certain groups of users aswell, just like the authentication method policies for FIDO2, Authenticator passwordless and Temporary Access Pass:

Good luck rolling out the authenticator app!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s