Australia | Changes to Azure AD Multi Factor Authentication (MFA) Numbers for Hybrid Scenarios

Neil Hoffman - 14.12.2021

Changes to Azure AD Multi Factor Authentication (MFA) Numbers for Hybrid Scenarios

Australia | Changes to Azure AD Multi Factor Authentication (MFA) Numbers for Hybrid Scenarios

There was a significant change from February 1st, 2021, for hybrid Active Directory deployments where users are managed in Active Directory and synced to Azure Active Directory using Azure AD Connect. This was likely a welcome change to organisations who are very security conscious about protecting identities as well as organisations wishing to simplify onboarding new users.

A LITTLE BACKGROUND HERE IS IN ORDER…

In Azure AD, a user account has two types of phone numbers: the public number and the authentication number. The public number is the phone number associated with their account which other users in the organisation can see, i.e., it shows up in their contact information. The authentication number, however, is the one which was entered for MFA or Self-Service Password Reset services, and is private and stored separately in Azure AD. This number is a cloud attribute, meaning it is not synced from Active Directory and can managed by the user or an administrator in the respective portals as shown below:

  • Administrators can edit authentication phone numbers here:
Australia | Changes to Azure AD Multi Factor Authentication (MFA) Numbers for Hybrid Scenarios

  • End users can edit authentication numbers here:
  • Australia | Changes to Azure AD Multi Factor Authentication (MFA) Numbers for Hybrid Scenarios

    Traditionally, there has been no correlation between these two numbers. For example, even if a user has a public phone number, they will still have to provide an authentication number the first time they are challenged for MFA to enroll in the service. Some organisations consider this a security risk, since if the credentials for a new user account were leaked, then it really is a ‘first come first serve’ situation for enrollment of the authentication phone number. Once a malicious actor was able to enroll their phone number in MFA, then the account could pass a Conditional Access policy requiring MFA and be considered ‘trusted’.

    WHAT IS CHANGING…

    Going forward, if a synced user has a public phone number (which will be their phone number synced from Active Directory), and no authentication phone number, then the public phone number will be used to populate their authentication phone number. If this condition is met and this event occurs, the authentication phone number can still be edited by either the user or the administrator in the portals as shown above.

    Subsequent changes to a synced user’s public number in Active Directory will follow these rules:

    • If the public number and authentication number are the same, also update the authentication number
    • If the public number and authentication number are different, do not update the authentication number
    • If the public number is deleted, do not delete the corresponding authentication number

    I think this will be a welcome change for admins to better manage the onboarding experience of new users, while also providing more secure enrollment process options.

    Read more of my Insentra Insights.

    THANK YOU FOR YOUR SUBMISSION!

    Australia | Changes to Azure AD Multi Factor Authentication (MFA) Numbers for Hybrid Scenarios

    The form was submitted successfully.

    Join the Insentra Community with the Insentragram Newsletter

    Hungry for more?

    If you’re waiting for a sign, this is it.

    We’re a certified amazing place to work, with an incredible team and fascinating projects – and we’re ready for you to join us! Go through our simple application process. Once you’re done, we will be in touch shortly!

    Who is Insentra?

    Imagine a business which exists to help IT Partners & Vendors grow and thrive.

    Insentra is a 100% channel business. This means we provide a range of Advisory, Professional and Managed IT services exclusively for and through our Partners.

    Our #PartnerObsessed business model achieves powerful results for our Partners and their Clients with our crew’s deep expertise and specialised knowledge.

    We love what we do and are driven by a relentless determination to deliver exceptional service excellence.

    Australia | Changes to Azure AD Multi Factor Authentication (MFA) Numbers for Hybrid Scenarios

    Insentra ISO 27001:2013 Certification

    SYDNEY, WEDNESDAY 20TH APRIL 2022 – We are proud to announce that Insentra has achieved the  ISO 27001 Certification.