Microsoft closes security ‘loophole’ in AzureAD 2FA registration process

Credit: ID 134296680 © Heydar Jafarli |

Microsoft has closed an important security gap in its Azure Active Directory multi-factor authentication setup procedure that an attacker could use to register their own device when a user is registering for the first time. 

Major authentication service providers like Microsoft and Google are encouraging users and enterprise to adopt two-factor or multi-factor authentication, with both firms arguing that it’s the best protection available against credential phishing attacks. 

Microsoft’s own security team recently even urged large enterprise to enforce MFA and remove passwords altogether because of the difficulties people have remembering complex passwords and password reuse. 

Due to user behavior, Microsoft is also considering removing forced password expiration from its Windows 10 version 1809 security baseline because people just pick slight variations on existing ones.

But while it has been encouraging enterprise to enforce MFA, the Azure AD controls it provided admins when rolling out MFA had a security gap in the setup process — one that customers have been demanding it close.