MFA or Certificate-based authentication for end users

Tom Meeus 141 Reputation points

Hi all,

I was looking to create some secure CA rules and i stumbled upon this little line in de Microsoft Authenticator methods:
Number Matching will begin to be enabled for all users of the Microsoft Authenticator app starting 27th of February 2023.

So i've used this before for admin roles but for an end user it is a paint in the backside.
I'm looking into new easier ways of enforcing this and i came upon this "Certificate-based authentication"

Is this securer then an MFA popup and easier to use for the end user?



Windows Server Security
Windows Server Security
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
1,780 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,588 questions
0 comments No comments
{count} votes

Accepted answer
  1. Nagappan Veerappan 651 Reputation points Microsoft Employee

    Thank you for asking, any passwordless (non-phishing) Strong credentials are recommended to have for end users (WHFB, CBA, FIDO2, Phone sign-in). Those credentials satisfy the MFA requirement.

    The notion of enabling "Number matching" is Microsoft security observed MFA fatigue with Push notification.
    To avoid compromising user by simply approving the "push notification" as they are not aware is it genuine or attacker initiated

    Number match would prevent the compromise. since end user don't know the number to pass if attacker initiated the session for MFA or passwordless phone sign-ins.

    For solution wise, it really depends what devices end users have and What type of users (Cloud only or on-prem synced)

    1. If all windows 10 21H2/win11 physical machines with TPM, WHFB Hybrid Cloud trust works, no PKI involved -elegant solution
    2. If you have PKI infra already established and CDP published over HTTP. certificate can be pushed to users. you can use CBA auth at AAD.
      Note: it has few unsupported scenarios, take look at those in the document
      If you can push certificate to mobile devices, you can think of CBA as alternative options

    3.FIDO2 not yet supported by all browsers , Cost associated with buying FIDO2 keys

    1. If you don't want to hang on to on-prem. Planning to issue a new device for future users. Azure AD to manage the auth for users from managed domain.
      use TAP to complete OOBE setup and join the device to AADJ (cloud domain join) and complete WHFB
      use VPN (rarely if they need to) connect on-prem from AADJ.

    1. Phone sign-in - I don't need to explain. since you mentioned not look into Phone sign-ins options. as end user have to go through some above simple & secure auth method available

    Please review with your org identity architect and then decide what suits best for you

    Happy Thanksgiving!

    Feel free to reach if any additional questions.

    0 comments No comments

1 additional answer

Sort by: Most helpful
  1. Limitless Technology 44,096 Reputation points


    Thank you for posting your query.

    Kindly follow the steps provided below to resolve your issue.

    I found an article about how to configure Azure AD certificate-based authentication hope this help.

    Do not hesitate to message us if you need further assistance.

    Go to this link for your reference and other troubleshooting procedures


    If the answer is helpful kindly click "Accept as Answer" and up vote it.

    0 comments No comments