Authentication & MFAAuthentication Methods Overview

Authentication Methods Overview

25 mins

Understanding the Concept

Microsoft Entra ID supports multiple authentication methods that can be combined for secure access. The authentication methods policy controls which methods are available to users across the tenant, replacing the legacy per-user MFA and SSPR settings.

Authentication methods fall into three categories: something you know (passwords, security questions), something you have (phone, FIDO2 key, authenticator app), and something you are (biometrics like Windows Hello). Stronger methods combine multiple factors.

The authentication strengths feature in Conditional Access allows administrators to require specific combinations of methods for different scenarios - for example, requiring phishing-resistant methods for admin access while allowing SMS for general users.

Key Points

  • Password: Traditional method, should be combined with a second factor
  • Microsoft Authenticator: Push notifications, OTP, and passwordless
  • FIDO2 Security Keys: Phishing-resistant hardware-based authentication
  • Windows Hello for Business: Biometric or PIN tied to the device
  • SMS/Voice: Phone-based verification (less secure, being phased out)

Authentication Method Strength Levels

Step 1

Password Only

Weakest - single factor, vulnerable to phishing and credential theft

Step 2

Password + SMS

MFA but SMS is susceptible to SIM swapping attacks

Step 3

Password + App

Stronger MFA with Authenticator push or TOTP

Step 4

Passwordless

Authenticator passwordless, WHfB, or FIDO2 key

Step 5

Phishing-Resistant

FIDO2 or WHfB - immune to credential phishing

Why This Matters in Real Organizations

Authentication is the front door to your organization. Using weak methods like password-only leaves you vulnerable to credential stuffing, phishing, and brute force attacks. Microsoft reports that MFA blocks over 99.9% of account compromise attacks - making authentication method selection one of the highest-impact security decisions.

Common Mistakes to Avoid

Relying solely on passwords without any second factor
Using SMS as the only MFA method despite its known vulnerabilities
Not configuring the authentication methods policy centrally
Allowing users to choose weak authentication methods for privileged operations

Interview Tips

  • Explain the three authentication factor categories
  • Discuss the security spectrum from passwords to phishing-resistant methods
  • Mention Microsoft's push toward passwordless authentication

Exam Tips (SC-300)

  • Know all supported authentication methods and their strengths
  • Understand authentication strength policies in Conditional Access
  • Know that FIDO2 and WHfB are considered phishing-resistant

Course Complete!

You've finished all lessons

Previous|Next|HHome