Skip to main content

Every organization knows that security is essential and needs to be solid. Nowadays, every organization enables MFA and thinks that they are protected and done. Well, hold your horses because that’s not the case. What if a user gets an MFA prompt and accidentally accepts it when clicking on it? That’s when geographic location in Azure AD plays a role and makes MFA push notifications more secure. In this article, you will learn how to enable MFA geographic location in Microsoft Authenticator app for sign-in security purposes.

Enable Azure MFA

Configuring MFA in Azure/Microsoft 365 is a prerequisite, and there are two methods:

  1. Configure per-user MFA in Microsoft 365
  2. Configure Azure AD Multi-Factor Authentication

Note: It’s recommended to configure Azure AD Multi-Factor Authentication instead of per-user MFA.

Azure MFA geographic location

Show geographic location in push and passwordless notifications is a feature in Azure AD. When a user receives a passwordless phone sign-in or MFA push notification in Microsoft Authenticator, they’ll see the geographic location based on the IP address that requests the approval where the sign-in originated from.

Note: Geographic location in Azure AD is flexible and can be targeted to a single user, multiple users, all users, and groups.

Let’s look at how to configure MFA geographic location and how it looks.

Enable Azure MFA geographic location

To enable geographic location in Azure AD, follow these steps:

Step 1. Sign in to Microsoft Azure Portal.

Step 2. Click on Menu > Azure Active Directory.

Azure MFA geographic location Azure Active Directory panel

Step 3. Click on Security.

Azure MFA geographic location security panel

Step 4. Click on Authentication methods.

Azure MFA geographic location authentication methods panel

Step 5. Click on Policies > Microsoft Authenticator.

Azure MFA geographic location Microsoft Authenticator policy

Step 6. Click on the Basics tab and configure the below settings:

  • Enable: Yes
  • Target: All users
  • Authentication mode: Any

Suppose you want to enable it on a group or a test account; click Select users and select the users/groups.

Enable all users in Microsoft Authenticator settings

Step 7. Click on the Configure tab and configure the below settings for Show geographic location in push and passwordless notifications. Don’t forget to Save.

  • Status: Enabled
  • Target: Include – All users

Note: Two more features are available on the Microsoft Authenticator settings configure page. You should enable these features for security improvements. .

Enable Azure MFA geographic location

Step 8. Confirm that Microsoft Authenticator shows the target that you have set and the status enabled.

Azure MFA geographic location Microsoft Authenticator enabled

In the next step, you will test that everything works as you expect.

Verify Azure MFA geographic location

To test that Azure MFA geographic location works, follow the below steps:

Sign in to Microsoft 365 portal.

Note: You need to have MFA enabled on the account you like to test and not sign in from a network that is excluded from MFA.

Azure MFA geographic location sign in to Microsoft Office portal

The approve sign in request message appears.

Azure MFA geographic location approve sign in request

The geographic location appears in the Microsoft Authenticator app to sign in. Tap on Approve.

Azure MFA geographic location shown to sign in

You will successfully sign in to the portal.

Microsoft Office portal signed in

That’s it! You successfully did configure MFA geographic location in Azure AD for the users.

Leave a Reply