Try this first
- 1In the Entra portal go to Protection, Authentication methods, and pick Microsoft Authenticator. Under Configure, enable Show application name and Show geographic location, and confirm 'Require number matching for push notifications' is Enabled for All users.
- 2Verify nobody still sees the old Approve / Deny flow. A test account on an unused device confirms it quickly.
- 3Disable SMS and voice call as methods for accounts that do not depend on them. Both are weaker than Authenticator with number matching.
- 4For admins: enforce FIDO2 keys or passkey through an Authentication Strength inside a Conditional Access policy. Push is fine for users, not for Global Admin.
- 5Communicate the change once before rollout, otherwise you get a week of tickets from people who do not notice the digit.
When to bring us in
If push bombings keep coming after rollout, there is probably a stale session or a legacy-auth path still open. Track it down in sign-in logs under authenticationDetails.
See also
- I think I clicked a phishing linkNo shame, happens to everyone. The next fifteen minutes matter.
- A colleague's account is acting strangelySending mail in their name, rules hiding folders, unusual sign-ins. Suspicious.
- Lost the MFA app: new phone, no backup codesClassic problem after a phone upgrade. You are not the first to be locked out.
None of the above fits?
Describe your situation below. We pass your input plus the steps you already saw to our AI and return tailored next-step advice. If it's too risky to DIY, we'll say so.
Or skip the DIY entirely
Our Managed IT clients do not look these things up. One point of contact, a fixed monthly price, resolved within working hours.