Merge pull request #230467 from Justinha/authenticator-lite

Authenticator lite

Author: JamesJBarnett

articles/active-directory/authentication/TOC.yml

@@ -108,7 +108,7 @@
             href: howto-authentication-passwordless-faqs.md
           - name: Troubleshoot hybrid
             href: howto-authentication-passwordless-troubleshoot.md
-      - name: Passwordless phone sign-in
+      - name: Microsoft Authenticator
         items:
         - name: Manage
           href: howto-authentication-passwordless-phone.md
@@ -118,6 +118,8 @@
           href: how-to-mfa-number-match.md
         - name: Use additional context 
           href: how-to-mfa-additional-context.md
+        - name: Use Authenticator Lite 
+          href: how-to-mfa-authenticator-lite.md
         - name: Use Microsoft managed settings 
           href: how-to-mfa-microsoft-managed.md
       - name: Windows Hello for Business

articles/active-directory/authentication/concept-authentication-default-enablement.md

@@ -6,7 +6,7 @@ services: active-directory
 ms.service: active-directory
 ms.subservice: authentication
 ms.topic: conceptual
-ms.date: 02/24/2023
+ms.date: 03/12/2023
 
 ms.author: justinha
 author: mjsantani
@@ -39,8 +39,6 @@ As MFA fatigue attacks rise, number matching becomes more critical to sign-in se
 >[!NOTE]
 >Number matching will begin to be enabled for all users of Microsoft Authenticator starting May 08, 2023.
 
-<!---Add link to Mayur Blog post here--->
-
 ## Microsoft managed settings
 
 In addition to configuring Authentication methods policy settings to be either **Enabled** or **Disabled**, IT admins can configure some settings in the Authentication methods policy to be **Microsoft managed**. A setting that is configured as **Microsoft managed** allows Azure AD to enable or disable the setting. 
@@ -59,6 +57,7 @@ The following table lists each setting that can be set to Microsoft managed and
 | [Location in Microsoft Authenticator notifications](how-to-mfa-additional-context.md)           | Disabled      |
 | [Application name in Microsoft Authenticator notifications](how-to-mfa-additional-context.md)   | Disabled      |
 | [System-preferred MFA](concept-system-preferred-multifactor-authentication.md)                  | Disabled      |
+| [Authenticator Lite](how-to-mfa-authenticator-lite.md)                                          | Disabled      |  
 
 As threat vectors change, Azure AD may announce default protection for a **Microsoft managed** setting in [release notes](../fundamentals/whats-new.md) and on commonly read forums like [Tech Community](https://techcommunity.microsoft.com/). 
 

articles/active-directory/authentication/concept-authentication-methods.md

@@ -6,7 +6,7 @@ services: active-directory
 ms.service: active-directory
 ms.subservice: authentication
 ms.topic: conceptual
-ms.date: 09/17/2022
+ms.date: 03/13/2023
 
 ms.author: justinha
 author: justinha
@@ -38,7 +38,8 @@ The following table outlines the security considerations for the available authe
 | Authentication method          | Security | Usability | Availability |
 |--------------------------------|:--------:|:---------:|:------------:|
 | Windows Hello for Business     | High     | High      | High         |
-| Microsoft Authenticator app    | High     | High      | High         |
+| Microsoft Authenticator        | High     | High      | High         |
+| Authenticator Lite             | High     | High      | High         |
 | FIDO2 security key             | High     | High      | High         |
 | Certificate-based authentication (preview)| High | High | High       |
 | OATH hardware tokens (preview) | Medium   | Medium    | High         |
@@ -63,10 +64,11 @@ The following table outlines when an authentication method can be used during a
 
 | Method                         | Primary authentication | Secondary authentication  |
 |--------------------------------|:----------------------:|:-------------------------:|
-| Windows Hello for Business     | Yes                    | MFA\*                      |
-| Microsoft Authenticator app    | Yes                    | MFA and SSPR              |
+| Windows Hello for Business     | Yes                    | MFA\*                     |
+| Microsoft Authenticator        | Yes                    | MFA and SSPR              |
+| Authenticator Lite             | No                     | MFA                       |
 | FIDO2 security key             | Yes                    | MFA                       |
-| Certificate-based authentication (preview) | Yes        | No              |
+| Certificate-based authentication | Yes                  | No                        |
 | OATH hardware tokens (preview) | No                     | MFA and SSPR              |
 | OATH software tokens           | No                     | MFA and SSPR              |
 | SMS                            | Yes                    | MFA and SSPR              |

articles/active-directory/authentication/concept-mfa-howitworks.md

@@ -6,7 +6,7 @@ services: multi-factor-authentication
 ms.service: active-directory
 ms.subservice: authentication
 ms.topic: conceptual
-ms.date: 01/29/2023
+ms.date: 03/13/2023
 
 ms.author: justinha
 author: justinha
@@ -44,7 +44,8 @@ When users sign in to an application or service and receive an MFA prompt, they
 
 The following additional forms of verification can be used with Azure AD Multi-Factor Authentication:
 
-* Microsoft Authenticator app
+* Microsoft Authenticator 
+* Authenticator Lite (in Outlook)
 * Windows Hello for Business
 * FIDO2 security key
 * OATH hardware token (preview)

articles/active-directory/authentication/how-to-mfa-authenticator-lite.md

@@ -0,0 +1,139 @@
+---
+title: How to enable Microsoft Authenticator Lite for Outlook mobile (preview)
+description: Learn about how to you can set up Microsoft Authenticator Lite for Outlook mobile to help users validate their identity
+
+services: active-directory
+ms.service: active-directory
+ms.subservice: authentication
+ms.topic: conceptual
+ms.date: 03/14/2023
+
+ms.author: justinha
+author: sabina-smith
+ms.reviewer: sabina-smith
+manager: amycolannino
+
+ms.collection: M365-identity-device-management
+
+# Customer intent: As an identity administrator, I want to encourage users to understand how default protection can improve our security posture.
+---
+# How to enable Microsoft Authenticator Lite for Outlook mobile (preview)
+
+Microsoft Authenticator Lite is another surface for Azure Active Directory (Azure AD) users to complete multifactor authentication by using push notifications or time-based one-time passcodes (TOTP) on their Android or iOS device. With Authenticator Lite, users can satisfy a multifactor authentication requirement from the convenience of a familiar app. Authenticator Lite is currently enabled in [Outlook mobile](https://www.microsoft.com/microsoft-365/outlook-mobile-for-android-and-ios). 
+
+Users receive a notification in Outlook mobile to approve or deny sign-in, or they can copy a TOTP to use during sign-in. 
+
+## Prerequisites
+
+- Your organization needs to enable Microsoft Authenticator (second factor) push notifications for some users or groups by using the Authentication methods policy. You can edit the Authentication methods policy by using the Azure portal or Microsoft Graph API.
+- If your organization is using the Active Directory Federation Services (AD FS) adapter or Network Policy Server (NPS) extensions, upgrade to the latest versions for a consistent experience.
+- Users enabled for shared device mode on Outlook mobile aren't eligible for Authenticator Lite.
+- Users must run a minimum Outlook mobile version.
+
+  | Operating system | Outlook version |
+  |:----------------:|:---------------:|
+  |Android           | 4.2308.0        |
+  |iOS               | 4.2309.0        |
+
+## Enable Authenticator Lite
+
+By default, Authenticator Lite is [Microsoft managed](concept-authentication-default-enablement.md#microsoft-managed-settings) and disabled during preview. After general availability, the Microsoft managed state default value will change to enable Authenticator Lite. 
+
+| Property | Type | Description |
+|----------|------|-------------|
+| excludeTarget | featureTarget | A single entity that is excluded from this feature. <br>You can only exclude one group from Authenticator Lite, which can be a dynamic or nested group.|
+| includeTarget | featureTarget | A single entity that is included in this feature. <br>You can only include one group for Authenticator Lite, which can be a dynamic or nested group.|
+| State | advancedConfigState | Possible values are:<br>**enabled** explicitly enables the feature for the selected group.<br>**disabled** explicitly disables the feature for the selected group.<br>**default** allows Azure AD to manage whether the feature is enabled or not for the selected group. |
+
+Once you identify the single target group, use the following API endpoint to change the **CompanionAppsAllowedState** property under **featureSettings**. 
+
+```http
+https://graph.microsoft.com/beta/authenticationMethodsPolicy/authenticationMethodConfigurations/MicrosoftAuthenticator
+```
+
+>[!NOTE]
+>In Graph Explorer, you need to consent to the **Policy.ReadWrite.AuthenticationMethod** permission. 
+
+### Request
+
+```http
+PATCH https://graph.microsoft.com/beta/policies/authenticationMethodsPolicy
+Content-Type: application/json
+ 
+{
+    "CompanionAppAllowedState": {
+        "state": "enabled",
+        "excludeTargets": [
+            {
+                "id": "s4432809-3bql-5m2l-0p42-8rq4707rq36m",
+                "targetType": "group"
+            }
+        ],
+        "includeTargets": [
+            {
+                "id": "all_users",
+                "targetType": "group"
+            }
+        ]
+    }
+}
+```
+
+
+## User registration
+If enabled for Authenticator Lite, users are prompted to register their account directly from Outlook mobile. Authenticator Lite registration isn't available by using [MySignIns](https://aka.ms/mysignins). Users can also enable or disable Authenticator Lite from within Outlook mobile. For more information about the user experience, see [Authenticator Lite support](https://aka.ms/authappliteuserdocs). 
+
+
+:::image type="content" border="true" source="./media/how-to-mfa-authenticator-lite/registration.png" alt-text="Screenshot of how to register Authenticator Lite.":::
+
+## Monitoring Authenticator Lite usage
+[Sign-in logs](/graph/api/signin-list) can show which app was used to complete user authentication. To view the latest sign-ins, use the following call on the beta API endpoint:
+
+```http
+GET auditLogs/signIns
+```
+
+If the sign-in was done by phone app notification, under **authenticationAppDeivceDetails** the **clientApp** field returns **microsoftAuthenticator** or **Outlook**.
+
+If a user has registered Authenticator Lite, the user’s registered authentication methods include **Microsoft Authenticator (in Outlook)**. 
+
+## Push notifications in Authenticator Lite
+Push notifications sent by Authenticator Lite aren't configurable and don't depend on the Authenticator feature settings. The settings for features included in the Authenticator Lite experience are listed in the following table. 
+
+| Authenticator Feature    | Authenticator Lite Experience|
+|:------------------------:|:----------------------------:|
+| Number Matching          | Enabled                      |
+| Location Context         | Disabled                     |
+| Application Context      | Disabled                     |
+
+The following screenshots show what users see when Authenticator Lite sends a push notification.
+
+:::image type="content" border="true" source="./media/how-to-mfa-authenticator-lite/notification.png" alt-text="Screenshot of push notification in Outlook mobile.":::
+
+## AD FS adapter and NPS extension 
+
+Authenticator Lite enforces number matching in every authentication. If your tenant is using an AD FS adapter or an NPS extension, your users may not be able to complete Authenticator Lite notifications. For more information, see [AD FS adapter](how-to-mfa-number-match.md#ad-fs-adapter) and [NPS extension](how-to-mfa-number-match.md#nps-extension).
+
+To learn more about verification notifications, see [Microsoft Authenticator authentication method](concept-authentication-authenticator-app.md).
+
+## Common questions
+
+### Does Authenticator Lite work as a broker app?
+No, Authenticator Lite is only available for push notifications and TOTP. 
+
+### Can Authenticator Lite be used for SSPR?
+No, Authenticator Lite is only available for push notifications and TOTP. 
+
+### Is this available in Outlook desktop app?  
+No, Authenticator Lite is only available on Outlook mobile. 
+
+### Where can users register for Authenticator Lite?
+Users can only register for Authenticator Lite from mobile Outlook. Authenticator Lite registration can be managed from [aka.ms/mysignins](https://aka.ms/mysignins). 
+
+### Can users register Microsoft Authenticator and Authenticator Lite?
+
+Users that have Microsoft Authenticator on their device can't register Authenticator Lite. If a user has an Authenticator Lite registration and then later downloads Microsoft Authenticator, they can register both. If a user has two devices, they can register Authenticator Lite on one and Microsoft Authenticator on the other.
+
+## Next steps
+
+[Authentication methods in Azure Active Directory](concept-authentication-authenticator-app.md)