Authentication Method - Microsoft Authenticator - Allow use of Microsoft Authenticator OTP

Why This Matters

Leaving Microsoft Authenticator OTP enabled exposes your organization to a weaker form of multi-factor authentication that is more susceptible to phishing attacks than passwordless or hardware-based methods. Attackers can intercept OTP codes through social engineering or man-in-the-middle techniques, potentially compromising user accounts and sensitive data. Disabling OTP when stronger authentication methods are available significantly reduces this risk.

What Aether365 Checks

Aether365 verifies that the isSoftwareOathEnabled setting in the Microsoft Authenticator policy is set to false. This check appears in your Aether365 dashboard under the entra-id service scans.

Microsoft references

• Concept authentication methods manage
• Microsoftauthenticatorauthenticationmethodconfiguration
• [Graph explorer](https://developer.microsoft.com/en-us/graph/graph-explorer?request=policies/authenticationMethodsPolicy/authenticationMethodConfigurations()