Skip to main content
Version: 2.1.1-preview

CISA.MS.AAD.3.3 - If Microsoft Authenticator is enabled, it SHALL be configured to show login context information.

Overview

If Microsoft Authenticator is enabled, it SHALL be configured to show login context information.

Rationale: This policy helps protect the tenant when Microsoft Authenticator is used by showing user context information, which helps reduce MFA phishing compromises.

Remediation action:

If Microsoft Authenticator is in use, configure Authenticator to display context information to users when they log in.

  1. In Entra ID, click Security > Authentication Methods > Microsoft Authenticator.
  2. Click the Configure tab.
  3. For Allow use of Microsoft Authenticator OTP select No.
  4. Under Show application name in push and passwordless notifications select Status > Enabled and Target > Include > All users.
  5. Under Show geographic location in push and passwordless notifications select Status > Enabled and Target > Include > All users.
  6. Select Save.

Test Metadata

FieldValue
Test IDCISA.MS.AAD.3.3
SeverityMedium
SuiteCISA
CategoryEntra ID P1
PowerShell testTest-MtCisaAuthenticatorContext
TagsCISA, CISA.MS.AAD.3.3, Entra ID P1, MS.AAD, MS.AAD.3.3

Remediation

If Microsoft Authenticator is in use, configure Authenticator to display context information to users when they log in.

  1. In Entra ID, click Security > Authentication Methods > Microsoft Authenticator.
  2. Click the Configure tab.
  3. For Allow use of Microsoft Authenticator OTP select No.
  4. Under Show application name in push and passwordless notifications select Status > Enabled and Target > Include > All users.
  5. Under Show geographic location in push and passwordless notifications select Status > Enabled and Target > Include > All users.
  6. Select Save.

Source

  • Pester test: tests/cisa/entra/Test-MtCisaAuthenticatorContext.Tests.ps1
  • PowerShell source: powershell/public/cisa/entra/Test-MtCisaAuthenticatorContext.ps1