Share via

MFA NPS extension > disabling push notification

Pieter Huygens 25 Reputation points
2023-03-27T10:52:40.4233333+00:00

Dear,

We've rolled out MFA NPS extension for our VPN solution.

Several users are MFA registrered in Office365 with push notification via MS authenticator app.

We wan't to get rid of the push notification and we want to disable it via Azure AD.

What happens with our NPS VPN users in this case?

It seems that however we disabled push notification, users who have registrered in the past for push notification can still authenticate via push for the VPN.

Is this by design? I expected that once we disabled push notification, no one in the organisation should be able to use push anymore, but this seems to affect only new registrations for mFA?

Any ideas?

Microsoft Security | Microsoft Entra | Microsoft Entra ID
Accepted answer
  1. Marilee Turscak-MSFT 37,206 Reputation points Microsoft Employee Moderator
    2023-03-28T00:28:05.5933333+00:00

    Hi @Anonymous ,

    It sounds like your best bet would be to enable OTP enforced by number matching to override the Approve/Deny options in push notifications and require an OTP instead.

    In order to do this, you need to make sure that the registry key OVERRIDE_NUMBER_MATCHING_WITH_OTP Value = TRUE is set to "TRUE" on the NPS server.

    This will only work on NPS extension version 1.0.1.40 or later, and only for users who have Authenticator registered as an authentication method. Additional limitations around this setting are noted in How to MFA Number Match .

    Let me know if this meets your requirements and if you have further questions.

    If the information helped you, please Accept the answer. This will help us as well as others in the community who might be researching similar information.

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.