If this condition is met and this event occurs, the authentication phone number can still be edited by either the user or the administrator in the portals as shown above. Going forward, if a synced user has a public phone number (which will be their phone number synced from Active Directory), and no authentication phone number, then the public phone number will be used to populate their authentication phone number. Once a malicious actor was able to enroll their phone number in MFA, then the account could pass a Conditional Access policy requiring MFA and be considered ‘trusted’. Some organizations consider this a security risk, since if the credentials for a new user account were leaked, then it really is a ‘first come first serve’ situation for enrollment of the authentication phone number. For example, even if a user has a public phone number, they will still have to provide an authentication number the first time they are challenged for MFA to enroll in the service. Traditionally, there has been no correlation between these two numbers. End users can edit authentication numbers here:.Administrators can edit authentication phone numbers here:.This number is a cloud attribute, meaning it is not synced from Active Directory and can managed by the user or an administrator in the respective portals as shown below: The authentication number, however, is the one which was entered for MFA or Self-Service Password Reset services, and is private and stored separately in Azure AD. The public number is the phone number associated with their account which other users in the organization can see, i.e., it shows up in their contact information. In Azure AD, a user account has two types of phone numbers: the public number and the authentication number. This was likely a welcome change to organizations who are very security conscious about protecting identities as well as organizations wishing to simplify onboarding new users. There was a significant change from February 1 st, 2021, for hybrid Active Directory deployments where users are managed in Active Directory and synced to Azure Active Directory using Azure AD Connect.
0 Comments
Leave a Reply. |