Multi-Factor Authentication (MFA) Management
Azure Active Directory Multi-Factor Authentication (MFA) adds additional security over only using a password when a user signs in. The user can be prompted for additional forms of authentication, such as to respond to a push notification, enter a code from a software or hardware token, or respond to an SMS or phone call.
The Azure Active Directory Connector supports MFA Attribute Management, which can help you manage MFA related information required for authentication, such as mobile numbers, alternate mobile numbers, office phone numbers, email addresses, and the Microsoft authenticator app.
The following operations are supported for Multi-Factor Authentication Management:
-
Aggregate MFA related information for the user (applicable for all authentication methods).
-
For the Phone and Email authentication methods you can add, update, and remove MFA related information.
-
For other authentication methods (for example, Microsoft Authenticator or Fido2) you can remove MFA related information.
Administrator Permissions
|
Purpose |
Permission Type |
Permissions |
|---|---|---|
|
Aggregate MFA Related Information for the User |
Application |
UserAuthenticationMethod.Read.All |
|
Add, Update, and Remove MFA Related Information for the User |
Application |
UserAuthenticationMethod.ReadWrite.All |
Supported Schema Attributes
To aggregate MFA related information for the user during account aggregation, ensure that the MFA attributes are present in the account schema. For more information, refer to Multi-Factor Authentication (MFA) Attributes.