Azure AD comes with a lot of security features – some recent such as Passwordless authentication, some less recent such as conditional access – helping protecting your identities and workloads access.
Well, in the never ending journey to keep secure identities and data, the Conditional Access feature has been updated to allow administrators to request not only multifactor authentication (MFA) but even better to define the MFA method to be used.
The ability to select the MFA method (any MFA method [password+MFA], passwordless authentication or phishing resistant authentication) helps you to better protect your workloads as well as helping fighting against MFA fatigue.
To start using this new Conditional Access feature, connect to your Azure AD portal (https://aad.portal.azure.com/) to access the Active Directory\Security\Conditional Access\Policies blade or Entra portal (https://entra.microsoft.com/) to access the Active Directory\Conditional Access\Policies blade
Then you either edit an existing conditional access rule or create a new one
The option to define the MFA method to be used is available at the Access Control\Grant step where you now have the Require authentication strength option
NOTE if you already have the Require multifactor authentication enabled, you have to disable it
You can then select one of the MFA method:
- Multifactor authentication: this is basically the same as the ‘old’ Require multifactor authentication. It will request the user to enter its password and then request the MFA (using the default one the user has configured – MFA request, SMS…). This option does not really strengthen your MFA
- Passwordless authentication: this option requires you have enable the Passwordless authentication method with Microsoft Authenticator https://t.co/89FilYohrQ or FIDO keys https://t.co/6HfQaQrsuR) first. This improves the strength of your MFA authentication
- Phishing-resistant authentication: this option requires you have enable the Passwordless authentication method with FIDO keys https://t.co/6HfQaQrsuR first. This provides the more strength of your MFA authentication
You can also access the Active Directory\Security\Authentication methods\Authentication strengths blade (AAD portal) or Active Directory\Authentication methods\Authentication strengths blade (Entra portal) to view the built-in strengths methods and/or create your own
Creating your own strength policy allows you to define which MFA methods (Windows Hello, FIDO keys, certificate based, passwordless….) capabilities you want to use with your custom policy
From this blade you can also see the method(s) used by conditional access policies