Notes from the field: Microsoft Azure MFA Number Matching and the one with NPS extension

Regarding the upcoming change of Microsoft MFA number matching, some customers started to ask me hey what’s going on? Do we need to do something? Is there any impact for our users?

Well, the short answer is yes.

The long answer is well it depends, can we live with the current setup or is there something going to break?

I tested this out in my lab setup in which I have this configured for some scenarios like Citrix Gateway, VMware UAG/Connection Servers etc.

Before you start, look at the upcoming changes and do READ this a couple of times, me, and Stefan Dingemanse (we did this dance together) found that it wasn’t clearly described what’s going to happen and how can we validate that everything is working!

The articles:

Use number matching in multifactor authentication (MFA) notifications – Azure Active Directory – Microsoft Entra | Microsoft Learn

Use Azure AD Multi-Factor Authentication with NPS – Azure Active Directory – Microsoft Entra | Microsoft Learn

The outcome after the following:

  • Updated my NPS extension
  • Updated my certificate as well (because that one is also always expiring)
  • And did nothing

The behavior is still the same and I only get an approve/deny experience, no number matching. And well, that’s it, the NPS extension doesn’t know of any number and the experience is still the same.

The outcome after the following:

  • Added the registry which forces OTP input

The behavior is that the logon will show a nice OTP input response, the mandatory item is that OTP is enabled an users have something configured, otherwise it will still use the approve/deny experience.

So, it seems if you just update the NPS extension to the latest all will be fine. And if you think I really want to have the same experience across all my integrations, then look how to integrate all the solutions with a SAML or OAUTH setup to be consistent across all the pieces.

Hope it helps!