Your organization will need to enable Authenticator (traditional second factor) push notifications for some users or groups using the new Authentication Methods Policy API. If your organization is using ADFS adapter or NPS extensions, please upgrade to the latest versions for a consistent experience.<\/p>\n\n\n\n
<\/a>Number matching<\/h2>\n\n\n\nNumber matching can be targeted to only a single group, which can be dynamic or nested. On-premises synchronized security groups and cloud-only security groups are supported for the Authentication Method Policy.<\/p>\n\n\n\n
Number matching is available for the following scenarios. When enabled, all scenarios support number matching.<\/p>\n\n\n\n
- Multifactor authentication<\/a><\/li>
- Self-service password reset<\/a><\/li>
- Combined SSPR and MFA registration during Authenticator app set up<\/a><\/li>
- AD FS adapter<\/a><\/li>
- NPS extension<\/a><\/li><\/ul>\n\n\n\n
Note<\/p>\n\n\n\n
For passwordless users, enabling or disabling number matching has no impact because it’s already part of the passwordless experience.<\/p>\n\n\n\n
<\/a>Multifactor authentication<\/h3>\n\n\n\nWhen a user responds to an MFA push notification using the Authenticator app, they will be presented with a number. They need to type that number into the app to complete the approval.<\/p>\n\n\n\n![\"Screenshot](\"https:\/\/docs.microsoft.com\/en-us\/azure\/active-directory\/authentication\/media\/howto-authentication-passwordless-phone\/phone-sign-in-microsoft-authenticator-app.png\")
<\/figure>\n\n\n\n<\/a>SSPR<\/h3>\n\n\n\nDuring self-service password reset, the Authenticator app notification will show a number that the user will need to type in their Authenticator app notification. This number will only be seen to users who have been enabled for number matching.<\/p>\n\n\n\n
<\/a>Combined registration<\/h3>\n\n\n\nWhen a user is goes through combined registration to set up the Authenticator app, the user is asked to approve a notification as part of adding the account. For users who are enabled for number matching, this notification will show a number that they need to type in their Authenticator app notification.<\/p>\n\n\n\n
<\/a>AD FS adapter<\/h3>\n\n\n\nThe AD FS adapter supports number matching after installing an update. Earlier versions of Windows Server don’t support number matching. On earlier versions, users will continue to see the Approve<\/strong>\/Deny<\/strong> experience and won’t see number matching until you upgrade.<\/p>\n\n\n\n
Note<\/p>\n\n\n\n
For passwordless users, enabling or disabling number matching has no impact because it’s already part of the passwordless experience.<\/p>\n\n\n\n
<\/a>Multifactor authentication<\/h3>\n\n\n\nWhen a user responds to an MFA push notification using the Authenticator app, they will be presented with a number. They need to type that number into the app to complete the approval.<\/p>\n\n\n\n<\/figure>\n\n\n\n<\/a>SSPR<\/h3>\n\n\n\nDuring self-service password reset, the Authenticator app notification will show a number that the user will need to type in their Authenticator app notification. This number will only be seen to users who have been enabled for number matching.<\/p>\n\n\n\n
<\/a>Combined registration<\/h3>\n\n\n\nWhen a user is goes through combined registration to set up the Authenticator app, the user is asked to approve a notification as part of adding the account. For users who are enabled for number matching, this notification will show a number that they need to type in their Authenticator app notification.<\/p>\n\n\n\n
<\/a>AD FS adapter<\/h3>\n\n\n\nThe AD FS adapter supports number matching after installing an update. Earlier versions of Windows Server don’t support number matching. On earlier versions, users will continue to see the Approve<\/strong>\/Deny<\/strong> experience and won’t see number matching until you upgrade.<\/p>\n\n\n\n
<\/figure>\n\n\n\n<\/a>SSPR<\/h3>\n\n\n\nDuring self-service password reset, the Authenticator app notification will show a number that the user will need to type in their Authenticator app notification. This number will only be seen to users who have been enabled for number matching.<\/p>\n\n\n\n
<\/a>Combined registration<\/h3>\n\n\n\nWhen a user is goes through combined registration to set up the Authenticator app, the user is asked to approve a notification as part of adding the account. For users who are enabled for number matching, this notification will show a number that they need to type in their Authenticator app notification.<\/p>\n\n\n\n
<\/a>AD FS adapter<\/h3>\n\n\n\nThe AD FS adapter supports number matching after installing an update. Earlier versions of Windows Server don’t support number matching. On earlier versions, users will continue to see the Approve<\/strong>\/Deny<\/strong> experience and won’t see number matching until you upgrade.<\/p>\n\n\n\n
When a user is goes through combined registration to set up the Authenticator app, the user is asked to approve a notification as part of adding the account. For users who are enabled for number matching, this notification will show a number that they need to type in their Authenticator app notification.<\/p>\n\n\n\n
![\"Screenshot](\"https:\/\/docs.microsoft.com\/en-us\/azure\/active-directory\/authentication\/media\/howto-authentication-passwordless-phone\/configure.png\")
<\/li>![\"Screenshot](\"https:\/\/docs.microsoft.com\/en-us\/azure\/active-directory\/authentication\/media\/howto-authentication-passwordless-phone\/enable-number-matching.png\")
<\/li><\/ol>\n\n\n\n