Security Incident Response

If you think you have or know you have a Security Incident please fill in the form and our experienced Onevinn CSIRT team will reach out shortly.
The team has long experience in supporting customers in Incident Response and Compromised Recovery.
Keep calm and we will be with you shortly!

Pontus Själander 24 Nov 2021
1 min

How to enable MFA Code Matching

Microsoft have now released a new(ish) MFA method that will be available for both users running Passwordless and regular authentication combined with MFA/Conditional Access, currently in Public Preview.
With the new code matching, users will be required to type in a code within the Microsoft Authenticator app, that will be presented by Microsoft when the end-user needs to verify their identity with an MFA challenge (or as a first step when running passwordless).
The authenticator app could also give you some context to the MFA Challenge, it will inform you about the application and location of the sign-in you are about to verify if you choose to enable it.
Its now possible to enable and configure this in the Azure AD Portal, earlier you needed to enable it through GRAPH.

Example of end-user experience

Sign-in attempt (I guess Microsoft will update this view before the feature will reach GA)

Experience in the authenticator app with code matching and context enabled


This MFA method will require more attention from the end-user, but will also reduce the possibility where users accidentally approves an MFA challenge through an PUSH notification, where they simply only needs to press “Approve”.
Now the user will need to have the code in front of them, and the user will be presented with some context about the sign-in.

How to enable Code Matching with context for all users

Follow the steps below to enable code matching for all users:


1. Open Azure Active Directory

2. Open Security

3. Open Authentication Method

4. Select Microsoft Authenticator

5. Click on the three dots, and select “Configure”

6. Set Authentication mode to “Any” enable both “Require number matching” and “Show additional context in the notification”

Please note that with the settings above, code matching will be required for all users who is using Microsoft Authenticator app as their primary MFA Method. In an production environment, you should wait for the feature to be released in GA and make sure to both implement step-by-step and make sure to communicate the change to the organization as always.