Authentication Methods in Microsoft Entra
Complete the full lesson to earn 25 points
Work through each section, then tap “Mark as Complete” on the last one.
✦ Skip the page breaks and see fewer ads — read each lesson on a single page with Pro
Authentication Methods in Microsoft Entra
Introduction: The Foundation of Modern Identity
In the current digital landscape, the traditional perimeter-based security model—where we protected everything inside a physical office building—has effectively disappeared. Today, your employees, partners, and customers access sensitive resources from coffee shops, home offices, and mobile devices across the globe. Because the network perimeter is no longer a reliable boundary, the identity of the user has become the new primary security perimeter. This is where Microsoft Entra (formerly Azure Active Directory) plays a critical role.
Authentication is the process of verifying that a user is who they claim to be. In Microsoft Entra, authentication is not just about checking a password; it is about building a comprehensive profile of trust. When a user attempts to sign in, Entra evaluates a variety of signals—such as the device being used, the user’s location, the behavior patterns associated with the account, and the specific application being accessed—to determine whether to grant access or challenge the user for additional verification.
Understanding the various authentication methods available in Microsoft Entra is essential for any administrator or IT professional. If you choose methods that are too weak, you leave your organization vulnerable to credential theft and automated attacks. Conversely, if you choose methods that are too restrictive or difficult to use, you will likely face significant pushback from users, leading to productivity loss and shadow IT. This lesson will guide you through the technical capabilities of Entra’s authentication suite, ensuring you can design a secure, user-friendly environment.
The Evolution of Authentication: From Passwords to Passwordless
For decades, the password was the gold standard for authentication. However, passwords are notoriously insecure. They are easily phished, reused across different services, and vulnerable to brute-force attacks. Microsoft Entra has shifted the industry focus toward "Passwordless" authentication. The goal is to eliminate the password entirely, replacing it with cryptographic proofs that are bound to a specific device or biometric signature.
Primary Authentication Methods
Before we dive into advanced features, it is important to categorize the methods Entra supports. We generally divide these into two tiers: primary methods and secondary (or multifactor) methods.
- Passwords: The traditional method. While we aim to move away from them, they remain the baseline for many legacy applications.
- Microsoft Authenticator (Push Notifications): A highly secure method where the user approves a sign-in request on their mobile device.
- FIDO2 Security Keys: Physical hardware tokens (like YubiKeys) that offer the highest level of protection against phishing.
- Certificate-Based Authentication (CBA): Useful for organizations with strictly managed hardware and smart card infrastructures.
- Windows Hello for Business: Uses biometric or PIN-based authentication tied to the hardware of a Windows device.
- OATH Hardware/Software Tokens: Time-based one-time password (TOTP) codes generated by specialized devices or apps.
Callout: The Phishing-Resistant Standard Not all authentication methods are created equal. In cybersecurity, we distinguish between "phishable" and "phishing-resistant" methods. A password or a standard SMS code can be intercepted by a malicious actor through a fake login page. FIDO2 keys and Certificate-Based Authentication are considered phishing-resistant because they rely on public-key cryptography that cannot be easily spoofed or intercepted, even if the user is tricked into interacting with a fake site.
Implementing Microsoft Authenticator: The Gold Standard for MFA
The Microsoft Authenticator app is the most versatile and widely used tool for multifactor authentication (MFA) in the Entra ecosystem. Beyond simple push notifications, it supports "Number Matching," which significantly reduces the risk of "MFA fatigue" attacks where a user is bombarded with requests until they accidentally click "Approve."
Configuring Authentication Methods
To manage these methods, you navigate to the Microsoft Entra admin center. The configuration is handled under the Authentication Methods policy. Here is the step-by-step process for enabling and enforcing these methods:
- Access the Admin Center: Sign in to the Microsoft Entra admin center as at least a Global Administrator or Authentication Policy Administrator.
- Navigate to Policies: Go to Protection > Authentication methods > Policies.
- Select a Method: Click on the method you want to configure, such as Microsoft Authenticator.
- Enable the Policy: Select the users or groups you want to include. It is best practice to start with a pilot group before rolling out to the entire organization.
- Configure Settings: For Microsoft Authenticator, ensure that Number Matching is enabled. This requires the user to type a number shown on the login screen into their app, proving they are physically present at their computer.
- Save the Policy: Once configured, the changes will take effect after a short propagation period.
Tip: Managing MFA Fatigue If you are still using the "Approve/Deny" push notification style, you are at high risk for MFA fatigue. Always enable Number Matching in the Microsoft Authenticator settings. It forces the user to actively engage with the login screen, preventing accidental approvals.
FIDO2 Security Keys: The Future of Identity
FIDO2 (Fast Identity Online) is an open standard that allows for passwordless authentication. By using a hardware key, you remove the reliance on the user’s mobile device, which is helpful in environments where mobile phones are prohibited or where users do not have company-issued phones.
How FIDO2 Works
When a user registers a FIDO2 key, the device generates a public-private key pair. The private key remains securely stored on the hardware token and never leaves the device. During authentication, Entra sends a challenge to the device. The device uses the private key to sign the challenge, and Entra verifies the signature using the public key it stored during registration.
Best Practices for FIDO2
- Physical Security: Ensure users understand that the physical key is equivalent to their password. If they lose it, they must report it immediately.
- Provisioning: You need a process for distributing these keys. Consider how you will handle onboarding for new employees who are working remotely.
- Fallback Methods: Always ensure a user has at least one other recovery method (like a registered phone number or a secondary email) in case they misplace their FIDO2 key.
Certificate-Based Authentication (CBA)
For many government and enterprise organizations, Certificate-Based Authentication (CBA) is a requirement. CBA allows users to sign in using X.509 certificates on smart cards or derived credentials.
Technical Implementation of CBA
Entra supports CBA by allowing you to upload your Certificate Authority (CA) chain to the Entra portal. Once the CA is trusted, Entra will validate the certificate presented by the user's browser or device during the TLS handshake.
Steps to configure CBA:
- Upload the CA: In the Entra admin center, under Authentication methods > Certificate-based authentication, upload your root and intermediate CA certificates.
- Define Binding Rules: Configure how Entra maps the certificate to the user object (e.g., matching the User Principal Name in the certificate to the user's account in Entra).
- Enable for Users: Assign the policy to specific user groups.
Warning: Complexity of CBA CBA is powerful but complex to maintain. It requires a robust Public Key Infrastructure (PKI). If your CA is compromised or if your certificate revocation list (CRL) is not updated, you could face significant security gaps. Ensure your PKI team is closely aligned with your identity team.
Windows Hello for Business
Windows Hello for Business (WHfB) is a key component of the modern workplace. It allows users to authenticate to Windows using a PIN or biometrics (like a fingerprint or facial recognition). Crucially, the credentials used by WHfB are cryptographically tied to the device’s Trusted Platform Module (TPM).
Why use WHfB?
- Device-Bound: The credentials cannot be moved to another machine.
- Phishing-Resistant: Because the key is stored in the TPM, it cannot be exported by malware.
- User Experience: Biometrics are much faster than typing long, complex passwords.
To implement WHfB, you typically use Microsoft Intune to push policy settings to your fleet of Windows devices. You can enforce that users must use a PIN and that the PIN must meet specific complexity requirements.
Authentication Policies and Conditional Access
Authentication methods are only as good as the policies that govern them. In Microsoft Entra, we use Conditional Access (CA) to determine when and how a user must authenticate.
The Logic of Conditional Access
Conditional Access follows a simple "If/Then" logic:
- If the user is in a "high-risk" location (e.g., an unfamiliar country)...
- And they are accessing a sensitive application (e.g., Payroll)...
- Then require MFA using a phishing-resistant method.
Practical Example: Configuring a Conditional Access Policy
- Create a Policy: Navigate to Protection > Conditional Access > Policies.
- Define Assignments: Choose the users (e.g., "All users" or a specific department).
- Define Target Resources: Choose the cloud apps (e.g., "Office 365").
- Define Conditions: Set the conditions, such as "Device platform" or "Location."
- Define Grant Controls: This is the most important part. Select Grant access and check the box for Require multifactor authentication. You can also specify "Require phishing-resistant MFA" for highly sensitive access.
Code Snippet: Automating Authentication Policy Management
While the GUI is great, many organizations prefer to manage their authentication policies via Microsoft Graph API. This ensures consistency across environments and allows for version control of your security settings.
Below is an example of how you might use PowerShell with the Microsoft Graph SDK to list the currently enabled authentication methods:
# Connect to Microsoft Graph with necessary permissions
Connect-MgGraph -Scopes "Policy.Read.All"
# Retrieve the authentication methods policy
$authPolicy = Get-MgPolicyAuthenticationMethodPolicy
# Display the enabled methods
$authPolicy.AuthenticationMethodConfigurations | Where-Object { $_.State -eq 'enabled' } | Select-Object Id, State
# Example of enabling a method (e.g., Fido2)
Update-MgPolicyAuthenticationMethodPolicyFido2 -State "enabled"
Explanation:
Connect-MgGraph: This establishes the session. You must have thePolicy.Read.AllorPolicy.ReadWrite.Allpermission.Get-MgPolicyAuthenticationMethodPolicy: This fetches the current state of all authentication policies in your tenant.Update-MgPolicyAuthenticationMethodPolicyFido2: This specific command allows you to toggle the state of FIDO2 keys programmatically. This is highly useful for CI/CD pipelines where you manage your tenant configuration as code.
Best Practices for Authentication Security
To build a secure environment, you must adhere to industry-standard best practices. Here are the most important guidelines for Microsoft Entra authentication.
1. Enforce MFA for Everyone
There is no excuse for having accounts without MFA enabled. Even for administrative accounts, MFA is the absolute minimum requirement. Use Conditional Access to ensure that every single user is prompted for a second factor.
2. Move Toward Passwordless
Start a phased transition to passwordless authentication. Begin with your IT staff and power users. Use Microsoft Authenticator as the entry point, then move to FIDO2 keys for those who require higher security.
3. Minimize Password Prompts
If you use MFA correctly, you can actually reduce the number of times a user has to enter a password. By using device-based policies and session lifetime settings, you can keep users authenticated for longer periods if their device is compliant and secure.
4. Regularly Review Authentication Logs
Use the Entra sign-in logs to monitor for failed authentication attempts. If you see a spike in "MFA denied" events for a specific user, it may indicate that someone is attempting to gain access to that account.
5. Use "Least Privilege"
Authentication methods should be assigned based on the user's role. A standard user might be fine with a push notification, while a domain administrator should be required to use a FIDO2 hardware key.
Common Mistakes and How to Avoid Them
Even experienced administrators make mistakes when setting up authentication. Here are the most common pitfalls:
- Ignoring Legacy Authentication: Many older apps still use protocols like POP, IMAP, or SMTP that do not support modern MFA. These are open doors for attackers. Solution: Use Conditional Access policies to block legacy authentication entirely.
- Over-relying on SMS/Voice MFA: SMS and voice calls are vulnerable to SIM swapping and interception. Solution: Gradually deprecate SMS/Voice as an MFA method and move users to the Microsoft Authenticator app.
- Poorly Managed Recovery Processes: If a user loses their phone and has no other way to get in, they will call the helpdesk. If your helpdesk doesn't have a secure way to verify the user's identity, this becomes a major security hole. Solution: Implement a secure "Self-Service Password Reset" (SSPR) combined with strict identity verification protocols for helpdesk staff.
- "Set and Forget" Mentality: Security is not a one-time task. Solution: Schedule quarterly reviews of your authentication policies to ensure they align with the latest security recommendations.
Callout: The Danger of SMS-based MFA While SMS is better than no MFA at all, it is significantly weaker than app-based or hardware-based methods. Attackers can perform a "SIM swap" attack, where they convince a mobile carrier to move the user's phone number to a device they control. Once they have the number, they can receive your MFA codes. For any high-value account, you should disable SMS as an MFA option.
Comparison Table: Authentication Method Capabilities
| Feature | Microsoft Authenticator | FIDO2 Key | SMS/Voice | Certificate (CBA) |
|---|---|---|---|---|
| Phishing Resistant | Yes (if Number Match) | Yes | No | Yes |
| Device Required | Smartphone | USB/NFC Key | Phone | Smart Card/PC |
| User Experience | High | Medium | Medium | Low (requires card) |
| Cost | Free | Varies (Hardware) | Carrier Fees | High (PKI req.) |
| Best For | General Users | Admins/High Risk | Backup/Legacy | Government/Enterprise |
Frequently Asked Questions (FAQ)
Q: Can I require different authentication methods for different groups? A: Yes. In the Entra Authentication Methods policy, you can target specific groups. For example, you can require FIDO2 keys for the IT department while allowing Microsoft Authenticator for the rest of the company.
Q: What happens if a user loses their phone? A: You should have a clear recovery process. Users can register multiple methods (e.g., Authenticator app + a registered office phone). If they lose all methods, they must go through a verified identity recovery process managed by your IT support team.
Q: Does passwordless mean I don't need a password at all? A: For the user, yes. However, in the background, a strong password often still exists for the account. You should ensure that the password is long and complex, even if the user rarely has to type it.
Q: Is "Number Matching" automatically enabled? A: As of recent updates, Microsoft has been enabling this by default for all tenants. However, you should always verify this in your Authentication Methods policy under the Microsoft Authenticator settings.
Key Takeaways
- Identity is the Perimeter: In the modern cloud-first world, your identity security (authentication) is the most critical layer of defense.
- Prioritize Phishing Resistance: Always aim to move users toward FIDO2 security keys or the Microsoft Authenticator app with Number Matching. These methods are designed to stop modern phishing attacks.
- Conditional Access is Vital: Authentication is not just about the method, but the context. Use Conditional Access to evaluate risk signals like location, device health, and application sensitivity before granting access.
- Disable Legacy Authentication: Protocols that do not support modern MFA are a primary target for attackers. Identify these legacy dependencies and block them using Conditional Access policies.
- Standardize and Automate: Use Microsoft Graph API or PowerShell to manage your authentication policies. This ensures that your security configuration is consistent, auditable, and repeatable.
- Continuous Improvement: Authentication technology evolves rapidly. Review your policies and methods at least twice a year to ensure you are keeping up with new features and addressing emerging threats.
- User Education: Technology is only half the battle. Ensure your users understand why they are using MFA and how to recognize a legitimate sign-in request versus a fraudulent one.
By mastering these authentication capabilities, you provide your organization with a robust, scalable, and user-friendly security infrastructure. Remember that the goal is not to make life difficult for the user, but to make it nearly impossible for an attacker to compromise an account. Start small, pilot your changes, and iterate based on the feedback from your users and the data from your sign-in logs.
Continue the course
Enjoying the courses?
Everything stays free. Pro shows fewer ads, doubles your daily points limit so you progress twice as fast, and lets you read each lesson on one page.
- ✓ Fewer advertisements
- ✓ 2× daily points limit
- ✓ Distraction-free lessons