Stop sharing of MFA, enforce possession factor?

mbtest 1 Reputation point
2022-06-17T12:54:16.407+00:00

Hello,

I have a challenge where I have a set of administrative users who are sharing an MFA token. I believe they are doing this by sharing the enrollment seed (QR code) between multiple devices.

I was able to replicate this today by scanning the code with an app, and adding the token manually on two devices.

My goal is to stop sharing of MFA, and I think the best way to do this is to enforce the possession factor by enforcing push notification on the app.

This is fairly easy to do in Okta, but I can't figure out exactly how to do this in AzureAD. It appears that multi factor doesn't allow explicit control over factoring methods (even via CAPs).

Am I correct?

Thanks,

Matt

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
22,877 questions
{count} votes

1 answer

Sort by: Most helpful
  1. James Hamil 26,881 Reputation points Microsoft Employee
    2022-06-20T20:41:23.05+00:00

    Hi @mbtest , are you trying to get rid of the shared token and just have per-user MFA? Please let me know if I misunderstood your question. If so, have you followed this document?

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.