This setting enables some additional features of the Microsoft 365 MFA to help protect users from common attacks. Office Protect configures your Authentication Methods and MFA Registration Campaign to ensure that users that are registered for MFA in your organizations are authenticating using the industry's best practices:
- Users relying on SMS or email MFA will now be prompted to use a phishing-resistant method of authentication like the Authenticator app. Note that they can still skip the method, but they will be reminded to register for the Authenticator at regular intervals (every 14 days).
- Context will add the application name and location to the MFA request
- Number matching will request the user to type in a number provided on the screen into the Authenticator app, this will ensure that the user has access to both the Sign-In request and their Microsoft Authenticator app. This requires an additional input from your users and might feel a little bit more impacting, but it ensures that the user has access to both devices before performing an authentication.
Note: This setting does not enforce MFA on your users, it only strengthens it on users who are already registered with MFA.
You can find the setting in the Azure AD Portal, in the Security/Authentication Methods section.
Here's an example of user experience when authenticating with Context & Number Matching:
- When logging into an app or the M365 Portal, the user will have to approve a sign in request with their Microsoft Authenticator
- The user will then have to input the value displayed in the login page into their authenticator to complete the process
References:
- Microsoft Documentation about MFA registration campaign: https://learn.microsoft.com/en-us/azure/active-directory/authentication/how-to-mfa-registration-campaign
- Microsoft Documentation about Sign-In Context: https://learn.microsoft.com/en-us/azure/active-directory/authentication/how-to-mfa-number-match