EIDSCA.AM02 - Authentication Method - Microsoft Authenticator - Allow use of Microsoft Authenticator OTP.
Overview
Defines if users can use the OTP code generated by the Authenticator App.
CISA MS.AAD.3.3v2 recommends disabling Microsoft Authenticator OTP. We recommend using this method only if no stronger MFA option is available, or if it is needed for specific restore scenarios. Make sure you have configured authentication strength to require stronger and phishing-resistant authentication methods, in order to enforce stronger authentication than OTP in all other scenarios.
Test script
https://graph.microsoft.com/beta/policies/authenticationMethodsPolicy/authenticationMethodConfigurations('MicrosoftAuthenticator')
.isSoftwareOathEnabled -eq 'false'
Related links
- Open in Graph Explorer
- microsoftAuthenticatorAuthenticationMethodConfiguration resource type - Microsoft Graph v1.0 | Microsoft Learn
- View in Microsoft Entra admin center
Test Metadata
| Field | Value |
|---|---|
| Test ID | EIDSCA.AM02 |
| Severity | Medium |
| Suite | Entra ID SCA |
| Category | General |
| PowerShell test | Test-MtEidscaAM02 |
| Tags | EIDSCA, EIDSCA.AM02 |
Source
- Pester test:
tests/EIDSCA/Test-EIDSCA.Generated.Tests.ps1 - PowerShell source:
powershell/internal/eidsca/Test-MtEidscaAM02.ps1