MFA Fatigue Attacks in Microsoft Entra ID: A Technical Deep Dive

Introduction

Multi-Factor Authentication (MFA) is a foundational control in modern identity security. However, its effectiveness depends not only on cryptographic strength but also on user interaction models.

This article analyzes MFA fatigue (push spam) attacks in Microsoft Entra ID, where repeated authentication attempts generate multiple push notifications, eventually leading users to approve them under pressure or confusion (Weinert, 2022)

We’ll examine:

• Authentication flow and where MFA is evaluated
• How push-based MFA behaves under repeated attempts
• Sign-in telemetry and detection gaps
• Practical mitigations aligned with Zero Trust.

Authentication Flow in Entra ID (Where MFA Fits)

A typical modern authentication flow:

User → Primary Authentication (Password / PHS) → Token Issuance Pending→ Conditional Access Evaluation → MFA Challenge → Token Issued

Key points:

• MFA is evaluated after primary authentication
• The system treats user approval as intentional consent.
• Approval completes the authentication transaction and issues tokens.

Push-Based MFA: Interaction Model

With Microsoft Authenticator push:

1. Login attempt triggers MFA challenge.
2. Push notification sent to the registered device.
3. User taps Approve / Deny
4. Approval satisfies the MFA requirement.

Without additional controls such as number matching, approval is:

Single interaction → MFA satisfied → Token issued

Attack Model: MFA Fatigue (Push Spam)

Preconditions

• Valid credentials (phishing, password reuse, spray)
• MFA configured with push notifications
• No number matching is enforced.
• No rate limiting or anomaly-based blocking

Attack Sequence

1. Attacker initiates login
2. MFA push sent to the user's device
3. Attacker repeats login attempts (multiple sessions)
4. User receives repeated MFA prompts
5. User approves one prompt
6. Authentication succeeds

Key Characteristic

This attack does not exploit a technical vulnerability.

This attack exploits user interaction rather than a technical vulnerability.

Lab Observations (EID-EXP-014)

1. Repeated MFA Prompts

• Each login attempt generated a new MFA push.
• No built-in throttling observed at the user level (Weinert, 2022)
• Prompts delivered within seconds (Weinert, 2022)

2. Single Approval Completes Authentication

• Approval of any pending request resulted in:

  • Successful authentication
  • Token issuance (Authentication methods in Microsoft Entra ID - Microsoft Authenticator app, 2024)

3. Sign-In Logs Behavior

Relevant fields:

• Authentication Requirement = multiFactor Authentication
• MFA Result = satisfied
• Status = success

No explicit indicator of:

“User received multiple prompts.”

4. Lack of Contextual Validation

System does not validate:

• Whether prompts were unsolicited
• Frequency of MFA requests
• User confusion or coercion

Why This Works

1. MFA Assumes Intent

Approval is treated as a legitimate user action.

There is no distinction between:

• Intentional approval
• Accidental approval
• Coerced approval

2. No Native Prompt Correlation

Each MFA request is treated independently, with no correlation between them, in short intervals. (MFA Fatigue Attacks: Causes & Prevention Guide, 2025)The system does not correlate:

Multiple MFA requests in a short time window

3. Weak Interaction Model (Without Number Matching)

Push approval:

Tap → Approve

No challenge-response validation. (Weinert, 2022)

Detection Challenges

Sign-In Logs Limitations

While logs capture:

• IP address
• Location
• Client app
• MFA result

They do NOT capture:

• MFA prompt count
• Prompt frequency
• User hesitation or confusion (Lily, 2026)

Identity Protection Signals

MFA fatigue may NOT trigger:

• Risky sign-in
• User risk (Risk-based user sign-in protection in Microsoft Entra ID, 2025)

Unless combined with:

• Suspicious IP
• Anonymous proxy
• Impossible travel

Real-World Attack Mapping

MFA fatigue attacks have been used in:

• Cloud identity breaches
• Enterprise account compromises
• Social engineering campaigns (Nichols, 2022)

Often combined with:

Phishing + MFA fatigue + session persistence

Mitigation Strategies (Technical Controls)

1. Enable Number Matching (Critical)

Transforms the interaction model:

Push → Enter matching number.

Benefits:

• Prevents blind approval
• Requires active user verification
• Reduces accidental approvals

2. Implement Risk-Based Conditional Access

Example:

Sign-in risk = Medium/High → Require MFA or blockUser risk = High → Require password reset.

3. Restrict Authentication Attempts

Use:

• Smart lockout
• Conditional Access session controls
• Monitoring for repeated attempts

4. Strengthen Authentication Methods

Prefer:

FIDO2 (phishing-resistant)
Certificate-based authentication

Over:

Push-only MFA
SMS-based MFA

5. User Behavior Controls

Technical + awareness:

Never approve unexpected MFA prompts.
Report suspicious activity

Architectural Insight (Zero Trust Alignment)

Zero Trust principle:

Never trust, always verify.

Push MFA without validation does not align with this principle because:

Verification depends on user behavior alone

Key Takeaway

MFA greatly improves security, but if attackers manipulate weak user responses, its protection can fail. 

To truly secure authentication, use methods that confirm user intent and are resistant to these attacks.

Conclusion

The EID-EXP-014 lab demonstrates that:

• MFA fatigue is a practical and realistic attack vector
• Effective detection requires contextual signal correlation. (Weinert, 2024)
• Organizations must harden MFA interaction models, combine multiple risk signals, and move to phishing-resistant authentication.

Organizations should:

• Strengthen MFA interaction models.
• Combine signals (device, risk, behavior)
• Move toward phishing-resistant authentication.

Related Labs (f11.ca)

• EID-EXP-010 – Conditional Access & Named Locations
• EID-EXP-013 – Impossible Travel Detection

• References
• 
  
• Weinert, A. (2022). Defend your users from MFA fatigue attacks. Microsoft Community Hub. https://techcommunity.microsoft.com/blog/microsoft-entra-blog/defend-your-users-from-mfa-fatigue-attacks/2365677
• 
  
• Weinert, A. (2022). Defend your users from MFA fatigue attacks. Microsoft Community Hub. https://techcommunity.microsoft.com/blog/microsoft-entra-blog/defend-your-users-from-mfa-fatigue-attacks/2365677
• 
  
• Weinert, A. (2022). Defend your users from MFA fatigue attacks. Microsoft Entra Blog. https://techcommunity.microsoft.com/blog/microsoft-entra-blog/defend-your-users-from-mfa-fatigue-attacks/2365677
• 
  
• (2024). Authentication methods in Microsoft Entra ID - Microsoft Authenticator app. Microsoft Learn. https://learn.microsoft.com/en-us/azure/active-directory/authentication/concept-authentication-authenticator-app
• 
  
• (November 30, 2025). MFA Fatigue Attacks: Causes & Prevention Guide. Security Boulevard. https://securityboulevard.com/2025/12/mfa-fatigue-attacks-causes-prevention-guide/
• 
  
• Weinert, A. (2022). Defend your users from MFA fatigue attacks. Microsoft Entra Blog. https://techcommunity.microsoft.com/blog/microsoft-entra-blog/defend-your-users-from-mfa-fatigue-attacks/2365677
• 
  
• Lily. (2026). MFA Fatigue Defense Playbook. Beefed.ai. https://beefed.ai/en/mfa-fatigue-defense-playbook
• 
  
• (2025). Risk-based user sign-in protection in Microsoft Entra ID. Microsoft Entra ID | Microsoft Learn. https://learn.microsoft.com/en-us/azure/active-directory/authentication/tutorial-risk-based-sspr-mfa
• 
  
• Nichols, S. (September 20, 2022). Cybercriminals launching more MFA bypass attacks. TechTarget. https://www.techtarget.com/searchsecurity/news/252525234/Cybercriminals-launching-more-MFA-bypass-attacks
• 
  
• Weinert, A. (May 8, 2024). New developments in Microsoft Entra ID Protection. Microsoft Community Hub. https://techcommunity.microsoft.com/blog/microsoft-entra-blog/new-developments-in-microsoft-entra-id-protection/4062701
•