Microsoft has started rolling out a new system-preferred authentication policy in preview for Azure AD customers. The feature enables the system to evaluate which authentication method should be used when a user signs in to Azure AD.
With system-preferred authentication, Azure AD will check all authentication methods registered for an account and only show the strongest option. However, the system will continue to use usernames/passwords for accounts that don’t have a registered MFA method.
“For example, if a user registered both SMS and Microsoft Authenticator push notifications as methods for MFA, system-preferred MFA prompts the user to sign in by using the more secure push notification method. The user can still choose to sign in by using another method, but they’re first prompted to try the most secure method they registered,” Microsoft explained.
Microsoft notes that the new system-preferred authentication policy will be disabled by default. It will be up to the IT admins to turn on this feature for users in their tenant with MSGraph API. In April, Microsoft will add a new toggle to let administrators configure the policy through the Azure AD admin center.
Overall, the system-preferred authentication policy is a part of Microsoft’s ongoing efforts to improve the security of Azure AD accounts in organizations. Last year, Microsoft warned about the increasing use of MFA fatigue attacks by threat actors to target enterprise customers. The Microsoft Authenticator app recently added support for number matching and location details to boost security.
Microsoft plans to enable the system-preferred authentication policy for all Azure AD accounts in July 2023. We invite you to check out this support page for details about configuring the system-preferred authentication policy.