MFA & Authentication¶
Authentication Strengths¶
Authentication Strengths define a named set of allowed authentication method combinations. The CA policies CA001 and CA002 reference custom strengths rather than the basic "Require MFA" grant — this prevents weaker methods (e.g., SMS OTP) from satisfying the MFA requirement.
Entra admin center → Protection → Authentication methods → Authentication strengths → + New authentication strength
Standard MFA (for all users — CA001)¶
| Setting | Value |
|---|---|
| Name | Standard MFA |
| Description | Approved MFA methods for standard users |
Allowed method combinations:
| Method combination | Notes |
|---|---|
| Password + Microsoft Authenticator (any) | Push notification with number matching |
| Passwordless phone sign-in (Authenticator) | No password required |
| Windows Hello for Business | PIN/biometric on enrolled Windows device |
| FIDO2 security key | Hardware key / passkey |
| Temporary Access Pass (one-time) | For onboarding / account recovery |
| Temporary Access Pass (multi-use) | For onboarding / account recovery |
Selecting combinations
When creating the strength, Entra shows a list of method combinations (e.g., "Password + Microsoft Authenticator"). Tick each row you want to allow. Untick SMS/Voice call, Hardware OATH, and Certificate-based auth to keep Standard MFA limited to the approved set above.
Admin MFA (for admin roles — CA002)¶
| Setting | Value |
|---|---|
| Name | Admin MFA |
| Description | Approved MFA methods for privileged admin accounts |
Allowed method combinations — all of Standard MFA, plus:
| Additional method combination | Notes |
|---|---|
| Password + Software OATH token | TOTP codes from authenticator apps (Microsoft Authenticator TOTP, Google Authenticator, etc.) |
Why Software OATH for admins only?
Software OATH (TOTP) is less phishing-resistant than passkeys or Windows Hello, but is commonly needed for admin accounts on dedicated admin workstations or scenarios where push notifications aren't available. Standard users should not use it.
Authentication Methods Policy¶
Configure authentication methods at: Entra admin center → Protection → Authentication methods → Policies
Recommended Methods (enable for all users)¶
| Method | Recommendation | Notes |
|---|---|---|
| Microsoft Authenticator | ✅ Enable | Push notifications + passwordless |
| FIDO2 security keys | ✅ Enable | Best for admins and shared workstations |
| Temporary Access Pass (TAP) | ✅ Enable | For onboarding and account recovery |
| SMS / Voice call | ⚠️ Limit or disable | Vulnerable to SIM swapping — disable if Authenticator is enforced |
| Email OTP | ⚠️ Guests only | Not recommended for members |
| Hardware OATH tokens | Optional | For users who can't use smartphones |
Migrate from MFA legacy portal
Move from the legacy Per-user MFA portal to the Authentication Methods Policy. The legacy portal is deprecated — manage everything through the new Authentication methods blade.
Microsoft Authenticator Settings¶
Enable passwordless phone sign-in and number matching to prevent MFA fatigue attacks:
Navigate to: Authentication methods → Microsoft Authenticator → Configure
| Setting | Value |
|---|---|
| Allow use of Microsoft Authenticator OTP | Yes |
| Require number matching | Enabled |
| Show additional context in notifications | Enabled (shows app name and location) |
| Passwordless phone sign-in | Enabled (target a pilot group first) |
Self-Service Password Reset (SSPR)¶
Entra admin center → Protection → Password reset
| Setting | Recommended value |
|---|---|
| SSPR enabled | All users |
| Number of methods required to reset | 2 |
| Methods available | Mobile app notification, Mobile app code, Email, Mobile phone |
| Registration — require on sign-in | Yes |
| Registration expiry | 180 days |
| Writeback | Enabled (if hybrid — requires Entra Connect + P1) |
| Allow unlock without reset | Yes |
Per-User MFA Status (Legacy)¶
Avoid managing MFA via the legacy per-user portal when CA policies are in use — they conflict. Check there are no users in the Enforced state unless intentional:
Connect-MgGraph -Scopes "UserAuthenticationMethod.Read.All"
# List users without any MFA method registered
$users = Get-MgUser -All -Property Id,DisplayName,UserPrincipalName
foreach ($user in $users) {
$methods = Get-MgUserAuthenticationMethod -UserId $user.Id
if ($methods.Count -le 1) { # Only "Password" method
Write-Output "$($user.DisplayName) | $($user.UserPrincipalName) — NO MFA registered"
}
}
Temporary Access Pass (TAP)¶
Use TAP for new user onboarding and for recovering locked-out accounts.
Entra admin center → Protection → Authentication methods → Temporary Access Pass
| Setting | Recommended value |
|---|---|
| Enable | Yes — target a pilot/all users group |
| Minimum lifetime | 1 hour |
| Maximum lifetime | 8 hours |
| Default lifetime | 1 hour |
| One-time use | Yes (for onboarding) |
Generating a TAP for a user¶
Connect-MgGraph -Scopes "UserAuthenticationMethod.ReadWrite.All"
$tapBody = @{
startDateTime = (Get-Date).ToUniversalTime().ToString("o")
lifetimeInMinutes = 60
isUsableOnce = $true
}
New-MgUserAuthenticationTemporaryAccessPassMethod -UserId "user@domain.com" -BodyParameter $tapBody
Password Protection¶
Entra admin center → Protection → Authentication methods → Password protection
| Setting | Recommended value |
|---|---|
| Lockout threshold | 10 |
| Lockout duration (seconds) | 60 |
| Custom banned passwords | Add company name, product names, common variants |
| Enable Password Protection on Windows Server AD | Yes (hybrid environments) |
| Mode | Enforced |
Admin Account Best Practices¶
- Dedicated cloud-only admin accounts (e.g.,
admin.jsmith@domain.com) — no email licence - Admin accounts not used for day-to-day email/productivity tasks
- All admin accounts have MFA registered (FIDO2 preferred)
- Use Privileged Identity Management (PIM) for just-in-time access to Global Admin
- Minimum 2, maximum 4 Global Administrators