The Deployment Guy

Master Microsoft Intune with Easy How-To Articles and Deployment Walkthroughs

Entra Windows 11

My MFA Confession. The Setting I Missed for 3 Years

ByCraig Camacho

Jan 23, 2026 #Cybersecurity, #Entra ID, #Identity Security, #MFA, #MFA Fatigue, #Microsoft 365, #Microsoft Authenticator, #microsoft entra

Okay, confession time.

I consider myself pretty plugged into the Microsoft Entra world. I doom scroll through the admin center, and I nod sagely when people mention “Conditional Access.” But apparently, I have been living under a rock. A very secure, multifactor-authenticated rock, but a rock nonetheless.

I was digging through some configurations recently and stumbled across a setting that blew my mind. Not because it’s some futuristic AI feature released this morning, but because it’s a toggle that has been staring me in the face for years, and I completely ignored it.

We have all moved on to Number Matching for MFA, and for good reason. Forcing users to type a code displayed on their screen is a massive improvement over the old “Approve/Deny” buttons. It stops people from accidentally approving requests in their pocket or hitting “Yes” just to make the buzzing go away.

But while Number Matching solves the accidental click, it leaves a massive gap in clarity.

Here is the problem. Number matching proves you are holding your phone, but it doesn’t explain why you are using it. It is essentially blind data entry. You see a prompt on your screen, you look at your phone, and you type the digits. It becomes muscle memory. But are you authorizing that Word document you just opened? Or is it some dodgy background process trying to reconnect to Exchange?

Without context, you represent a rubber stamp. You are verifying possession of the device, but not intent of the login.

But it turns out, you can flip the script. You can make those prompts actually tell you what is happening before you ever type a digit.

The “New” (But Actually Old) Feature

The setting allows you to add Application Name and Geographic Location to your Microsoft Authenticator push notifications.

Instead of a vague mystery buzz, your users see

  • App: “Azure Portal” (instead of nothing).
  • Location: “Burnley, UK” (instead of somewhere on Mars).

Note: Don’t expect sniper level accuracy here. Because this relies on your internet connection (WiFi vs. Mobile Data), the location can drift. My phone thought I was in Preston which is about 25 miles away from where I actually am in Burnley. As long as it doesn’t say “Antarctica,” you are probably fine.

Mobile screenshot of the MFA approval screen. It shows the new context features in action: the App is listed as 'Azure Portal' and the Location is shown as 'England, United Kingdom' with a visual map pin in Preston. The number matching input box is visible at the bottom

This takes the guesswork out of the equation. If I see a prompt for “Azure Portal” from Lagos, Nigeria while I’m sitting in Burnley eating toast, I know to hit that “No, it’s not me” button faster than lightning.

It’s Been Available Since 2022

I looked it up. Microsoft made “Show Application Name” and “Show Geographic Location” generally available in October 2022. I have spent three years squinting at generic prompts when I could have had rich, helpful context. That is roughly 1,000 days of unnecessary ambiguity.

How to Enable It (Before Another 3 Years Pass)

If you want to look like a hero to your users (and save them from accidental approvals), here is how you turn it on. It takes about 45 seconds.

  1. Log in to the Microsoft Entra Admin Center.
  2. Navigate to Authentication methods.
  3. Under Policies select Microsoft Authenticator.
  4. Click the Configure tab.
  5. Look for these two magical toggles:
    • Show application name in push notifications
    • Show geographic location in push notifications
  6. Flip them both to Enabled.
  7. Target All Users (unless you want to keep the mystery alive for a certain department you dont like).
  8. Hit Save.
Screenshot of Microsoft Entra configuration showing the 'Show application name' and 'Show geographic location' toggles both set to Enabled and targeted to All Users.

That’s it. Your users will now see exactly what app is asking for access and where the request is coming from. It’s a tiny change that makes a massive difference in security awareness. By giving users this extra context, you stop treating them like passive obstacles and start treating them like active defenders. Suddenly, they aren’t just typing a code to make a box go away they are actually validating that Outlook is connecting from their location. It’s a quick win that costs nothing to enable but adds a significant layer of intelligence to your authentication process and it saves you from explaining why you approved a login from a country you’ve never visited.

Don’t be like me. Don’t wait three years. Go flip the switch.

By Craig Camacho

Related Post

Autopilot Intune Windows 11

Windows Autopilot: The Proven Guide for 2025

Nov 3, 2025 Craig Camacho
Intune Autopilot Windows 11

How to Use Intune to Remove Bloatware from Windows 11 (25H2)

Oct 23, 2025 Craig Camacho
Intune Entra Windows 11

Intune: Manage Local Admin Group Membership in 3 Easy Steps

Oct 21, 2025 Craig Camacho

Leave a Reply

Your email address will not be published. Required fields are marked *