You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/active-directory/authentication/how-to-mfa-number-match.md
+5-5Lines changed: 5 additions & 5 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -4,7 +4,7 @@ description: Learn how to use number matching in MFA notifications
4
4
ms.service: active-directory
5
5
ms.subservice: authentication
6
6
ms.topic: conceptual
7
-
ms.date: 01/30/2023
7
+
ms.date: 01/31/2023
8
8
ms.author: justinha
9
9
author: mjsantani
10
10
ms.collection: M365-identity-device-management
@@ -68,9 +68,9 @@ AD FS adapter will require number matching on supported versions of Windows Serv
68
68
69
69
### NPS extension
70
70
71
-
The latest NPS extension doesn't support number matching, but it does support One-Time Passwords (OTP) methods such as the OTP available in Microsoft Authenticator, other software tokens, and hardware FOBs. Make sure you run the latest version of the [NPS extension](https://www.microsoft.com/download/details.aspx?id=54688).
71
+
Although NPS doesn't support number matching, the latest NPS extension does support One-Time Password (OTP) methods such as the OTP available in Microsoft Authenticator, other software tokens, and hardware FOBs. OTP sign-in provides better security than the **Approve**/**Deny** experience that NPS extension users see otherwise. Make sure you run the latest version of the [NPS extension](https://www.microsoft.com/download/details.aspx?id=54688).
72
72
73
-
After Feb 27, 2023, when number matching is enabled for all users, anyone who performs a RADIUS connection with NPS extension version 1.2.2216.1 or later will be prompted to sign in with an OTP method instead. The NPS Server where the NPS extension is installed must be configured to use PAP protocol.
73
+
After Feb 27, 2023, when number matching is enabled for all users, anyone who performs a RADIUS connection with NPS extension version 1.2.2216.1 or later will be prompted to sign in with an OTP method instead.
74
74
75
75
Users must have an OTP authentication method registered to see this behavior. Users who don't have an OTP method registered will continue to see **Approve**/**Deny** options.
76
76
@@ -106,10 +106,10 @@ In addition:
106
106
107
107
- Users who perform OTP must have either Microsoft Authenticator registered as an authentication method, or some other hardware or software OATH token. A user who can't use an OTP method will always see **Approve**/**Deny** options with push notifications if they use a version of NPS extension earlier than 1.2.2216.1.
108
108
- Users must be [enabled for number matching](#enable-number-matching-in-the-portal).
109
-
- The VPN server must be configured to use PAP protocol.
109
+
- The NPS Server where the NPS extension is installed must be configured to use PAP protocol.
110
110
111
111
>[!NOTE]
112
-
>MSCHAPv2 doesn't support One-Time Passwords.
112
+
>MSCHAPv2 doesn't support OTP. If the NPS Server isn't configured to use PAP, users will see **Approve**/**Deny** options.
113
113
114
114
If your organization uses Remote Desktop Gateway and the user is registered for OTP code along with Microsoft Authenticator push notifications, the user won't be able to meet the Azure AD MFA challenge and Remote Desktop Gateway sign-in will fail. In this case, you can set OVERRIDE_NUMBER_MATCHING_WITH_OTP = FALSE to fall back to **Approve**/**Deny** push notifications with Microsoft Authenticator.
0 commit comments