Multi-factor authentication (MFA) prompts warn Microsoft users about a security concern that requires action. For example, Microsoft can’t verify a user’s identity and needs the person to scan their fingerprint or enter a code on their cell phone. Sometimes, MFA prompts are justified; other times, prompts are frequent and unnecessary, making them a nuisance for employees in your organization.
If your team receives too many prompts, there are several steps you can take to address the problem. This blog post will help you consider the factors causing excessive prompts, reduce notifications, and learn how a reputable Microsoft partner can improve security across your organization.
What Are Multi-Factor Authentication Prompts?
MFA provides an extra level of security to the sign-in process when employees access Microsoft accounts and apps. Instead of just logging in to a Microsoft product or service with a username or password, multi-factor authentication requires users to provide additional identity verification credentials such as:
- Personal identification numbers (PINs)
- Text messages
- Phone calls
- Server transmitted one-time passcodes (OTP)
- Time-based one-time-passcodes (TOTP) on OATH hardware
- Authentication applications such as the Microsoft Authenticator
- Windows Hello
- FIDO tokens
MFA prompts ask users to enter the above credential types based on various factors. Those factors include the level of security you want to assign to the Microsoft products and services you use, such as Microsoft Azure.
Why Are Employees Receiving MFA Prompts So Often?
Frequent multi-factor authentication prompts aren’t unique to Microsoft products and services. Employees should expect prompts at the start of each new session, regardless of the app or account used, according to the University of Oxford’s IT department. Then, after time, notifications might decrease in frequency when employees use the same devices from the same locations. However, some users might receive more MFA prompts than others, and employees should expect frequent notifications if any unusual activity is associated with their account.
The University of Oxford also says users should anticipate MFA prompts when first logging into an app or service that requires an SSO (Single Sign On) login. How often employees receive notifications depends on the service used and whether they access a service through a browser or mobile app.
Regardless of the reason, frequent MFA prompts can prove a nuisance for employees accessing Microsoft services and even slow down productivity in your organization. Too many prompts can result in blind authorizations of fraudulent requests and make it harder for workers to access the technologies required to do their day-to-day tasks.
A Step-By-Step Guide To Reducing MFA Prompts
Here are some tips for reducing the number of multi-factor authentication prompts that teams receive:
1. Configure the log analytics wizard in Azure Active Directory. This process might take a while as AAD gathers data.
2. Discover which methods and device types are generating the most prompts—and how often each of those methods and devices generates prompts. (The log analytics wizard conveys this information as a percentage.)
3. Next, check which operating systems generate the most MFA prompts. That will help you determine whether prompts are more likely to come from workstations or mobile devices. This information is available in charts, making it easier to view the source of prompts. You can even see older operating systems that might still be active in your environment.
4. Other charts in the log analytics wizard help you determine the source of prompts. The Device chart will show you the status of each device used in your organization (unmanaged, AAD-joined, hybrid, etc.), enabling you to figure out which devices produce the most notifications.
5. The User chart gives additional information about the users who receive the most multi-factor authentication prompts. Check whether these users travel frequently or log in to multiple devices, which could cause recurring notifications. If any users appear under the “Risky Sign-In” section on the Azure admin page, investigate these users immediately. Perhaps their accounts are under attack or something nefarious is going on.
How a Microsoft Partner Can Help with MFA Prompts
While the guide to reducing MFA prompts above looks straightforward, there are prerequisites for the process to work properly. For example, you can only configure log analytics in AAD if you have an Azure subscription with at least one P1 licensed admin.
Complexities like this that prove the value of working with a reputable Microsoft partner who can check that you have the right license and ensure you take the correct steps to reduce unnecessary multi-factor authentication prompts. A partner can also optimize security across the Microsoft ecosystem, helping you secure the products and services used in your organization and protect your most-prized asset: data.
Multi-factor authentication is an incredible security resource for all Microsoft users, helping identify threats that could put your organization at risk. However, frequent and unnecessary MFA prompts can make life miserable for employees who want to get on with their jobs without continuously verifying their identities. Follow the tips above to reduce MFA prompts and consider a Microsoft partner to optimize your entire security posture.
Dynamic Consultants Group is your trusted gold partner for Microsoft consulting. Talk with an expert now.
With nearly 10 years of experience in end-user and enterprise-level support across all M365 and Azure areas, Grant is an M365 Support Engineer at Dynamic Consultants Group.