Entra ID tenant without policy to show application name context in Microsoft Authenticator notifications
Cayosoft Threat Definition CTD-000099
Tune into Guardians of the Directory Podcast.
Like This Article?
Subscribe to our LinkedIn Newsletter to receive more educational content
Risk Summary
Without showing the application name (and location) in Microsoft Authenticator push/passwordless prompts, users can’t verify what they’re approving. Attackers can exploit this gap with MFA-prompt spamming (“push fatigue”) to gain unauthorized access.
- Severity: Medium
- Platform: Entra ID
- Category: Tenant-wide
- MITRE ATT&CK Tactics: Credential Access
- MITRE D3FEND Tactics: Application Configuration Hardening
Description
By default, Microsoft Authenticator notifications do not include additional application context, so users may not know exactly what they are confirming. A threat actor can exploit this by sending repeated authentication requests that a user might mistakenly approve. Enabling policy controls adds the application name and geographic location to Microsoft Authenticator passwordless and push notifications, helping users spot abnormal requests.
Real-World Scenario
An attacker harvests a user’s username and triggers repeated sign-in attempts against Microsoft 365, flooding the user’s phone with Authenticator prompts. Because the tenant hasn’t enabled Show application name in push and passwordless notifications, the prompt lacks context and the fatigued user unknowingly approves. The attacker immediately accesses Outlook and SharePoint, downloads sensitive documents, and creates an inbox rule to hide alerts. Cayosoft Guardian detects the risky configuration (CTD-000099) so admins can enable contextual prompts and stop further abuse.
Stop Privilege Escalation—Then Undo It with Cayosoft Guardian
Real-time alerts across AD & Entra ID with one-click rollback.
How to Detect (Cayosoft Guardian)
1.) Sign in to Cayosoft Guardian Threat Detection Dashboard.
2.) Open All Alerts and search for CTD-000099 or Entra ID tenant without policy to show application name context in Microsoft Authenticator notifications.
3.) Open any alert and Click for details (from Raise Threat Alert action).
Evidence (example fields)
- Microsoft Authenticator policy Enable and Target status
- All users targeting enabled/disabled
- Authentication mode (e.g., Any)
- Show application name in push and passwordless notifications → Status
Remediation Steps
To enable application name or geographic location in the Microsoft Entra admin center, complete the following steps:
- Sign in to the Microsoft Entra admin center as at least an Authentication Policy Administrator.
- Browse to Protection > Authentication methods > Microsoft Authenticator.
- On the Enable and Target tab, toggle the switch to Enable position.
- On the Enable and Target tab, click All users to enable the policy for everyone.
- Change Authentication mode to Any.
Only users who are enabled for Microsoft Authenticator here can be included in the policy to show the application name or geographic location of the sign-in, or excluded from it. Users who aren’t enabled for Microsoft Authenticator can’t see application name or geographic location. - On the Configure tab, for Show application name in push and passwordless notifications change Status to Enabled.
- Choose whom to include or exclude from the policy.
- Click Save.
How to Prevent It
Cayosoft Guardian can proactively detect and alert on missing application context in Microsoft Authenticator notifications. It continuously monitors Active Directory, Entra ID, Microsoft 365, and Intune for over 200 misconfigurations, providing early warning before attackers can exploit them.
FAQ
Without the app name (and location) shown, users may unknowingly approve malicious MFA prompts. Attackers can abuse this with “push fatigue” attacks, spamming prompts until the victim accepts.
It gives users critical context about what app is requesting access. This helps them distinguish between legitimate sign-ins and fraudulent attempts, reducing the likelihood of accidental approvals.
An Authentication Policy Administrator or other appropriately privileged role in Entra ID can configure these settings.
References
- Microsoft Entra admin center — https://entra.microsoft.com/
- Role requirements: Authentication Policy Administrator — https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/permissions-reference#authentication-policy-administrator
Final Thought
Proactive monitoring and timely remediation of configuration risks is essential to maintaining a secure Active Directory and Microsoft 365 environment. By addressing issues like Entra ID tenant without policy to show application name context in Microsoft Authenticator notifications, you reduce attack surfaces and strengthen your organization’s overall security posture.