There was a significant change from February 1st, 2021, for hybrid Active Directory deployments where users are managed in Active Directory and synced to Azure Active Directory using Azure AD Connect. This was likely a welcome change to organisations who are very security conscious about protecting identities as well as organisations wishing to simplify onboarding new users.
A LITTLE BACKGROUND HERE IS IN ORDER…
In Azure AD, a user account has two types of phone numbers: the public number and the authentication number. The public number is the phone number associated with their account which other users in the organisation can see, i.e., it shows up in their contact information. The authentication number, however, is the one which was entered for MFA or Self-Service Password Reset services, and is private and stored separately in Azure AD. This number is a cloud attribute, meaning it is not synced from Active Directory and can managed by the user or an administrator in the respective portals as shown below:
- Administrators can edit authentication phone numbers here:
Traditionally, there has been no correlation between these two numbers. For example, even if a user has a public phone number, they will still have to provide an authentication number the first time they are challenged for MFA to enroll in the service. Some organisations consider this a security risk, since if the credentials for a new user account were leaked, then it really is a ‘first come first serve’ situation for enrollment of the authentication phone number. Once a malicious actor was able to enroll their phone number in MFA, then the account could pass a Conditional Access policy requiring MFA and be considered ‘trusted’.
WHAT IS CHANGING…
Going forward, if a synced user has a public phone number (which will be their phone number synced from Active Directory), and no authentication phone number, then the public phone number will be used to populate their authentication phone number. If this condition is met and this event occurs, the authentication phone number can still be edited by either the user or the administrator in the portals as shown above.
Subsequent changes to a synced user’s public number in Active Directory will follow these rules:
- If the public number and authentication number are the same, also update the authentication number
- If the public number and authentication number are different, do not update the authentication number
- If the public number is deleted, do not delete the corresponding authentication number
I think this will be a welcome change for admins to better manage the onboarding experience of new users, while also providing more secure enrollment process options.
Read more of my Insentra Insights.
