CISA.MS.AAD.3.3 - If Microsoft Authenticator is enabled, it SHALL be configured to show login context information.
Overview
If Microsoft Authenticator is enabled, it SHALL be configured to show login context information.
Rationale: This policy helps protect the tenant when Microsoft Authenticator is used by showing user context information, which helps reduce MFA phishing compromises.
Remediation action:
If Microsoft Authenticator is in use, configure Authenticator to display context information to users when they log in.
- In Entra ID, click Security > Authentication Methods > Microsoft Authenticator.
- Click the Configure tab.
- For Allow use of Microsoft Authenticator OTP select No.
- Under Show application name in push and passwordless notifications select Status > Enabled and Target > Include > All users.
- Under Show geographic location in push and passwordless notifications select Status > Enabled and Target > Include > All users.
- Select Save.
Related links
Test Metadata
| Field | Value |
|---|---|
| Test ID | CISA.MS.AAD.3.3 |
| Severity | Medium |
| Suite | CISA |
| Category | Entra ID P1 |
| PowerShell test | Test-MtCisaAuthenticatorContext |
| Tags | CISA, CISA.MS.AAD.3.3, Entra ID P1, MS.AAD, MS.AAD.3.3 |
Source
- Pester test:
tests/cisa/entra/Test-MtCisaAuthenticatorContext.Tests.ps1 - PowerShell source:
powershell/public/cisa/entra/Test-MtCisaAuthenticatorContext.ps1