Azure AD – You can now define the multifactor authentication strength (preview)

Azure AD comes with a lot of security features – some recent such as Passwordless authentication, some less recent such as conditional access – helping protecting your identities and workloads access.

Well, in the never ending journey to keep secure identities and data, the Conditional Access feature has been updated to allow administrators to request not only multifactor authentication (MFA) but even better to define the MFA method to be used.

The ability to select the MFA method (any MFA method [password+MFA], passwordless authentication or phishing resistant authentication) helps you to better protect your workloads as well as helping fighting against MFA fatigue.

To start using this new Conditional Access feature, connect to your Azure AD portal (https://aad.portal.azure.com/) to access the Active Directory\Security\Conditional Access\Policies blade or Entra portal (https://entra.microsoft.com/) to access the Active Directory\Conditional Access\Policies blade

image  image

Then you either edit an existing conditional access rule or create a new one

The option to define the MFA method to be used is available at the Access Control\Grant step where you now have the Require authentication strength option

NOTE if you already have the Require multifactor authentication enabled, you have to disable it

image

You can then select one of the MFA method:

  • Multifactor authentication: this is basically the same as the ‘old’ Require multifactor authentication. It will request the user to enter its password and then request the MFA (using the default one the user has configured – MFA request, SMS…). This option does not really strengthen your MFA
  • Passwordless authentication: this option requires you have enable the Passwordless authentication method with Microsoft Authenticator https://t.co/89FilYohrQ or FIDO keys https://t.co/6HfQaQrsuR) first. This improves the strength of your MFA authentication
  • Phishing-resistant authentication: this option requires you have enable the Passwordless authentication method with FIDO keys https://t.co/6HfQaQrsuR first. This provides the more strength of your MFA authentication

You can also access the Active Directory\Security\Authentication methods\Authentication strengths blade (AAD portal) or Active Directory\Authentication methods\Authentication strengths blade (Entra portal) to view the built-in strengths methods and/or create your own

Creating your own strength policy allows you to define which MFA methods (Windows Hello, FIDO keys, certificate based, passwordless….) capabilities you want to use with your custom policy

From this blade you can also see the method(s) used by conditional access policies

image  image  image

Leave a Comment

Your email address will not be published. Required fields are marked *


The reCAPTCHA verification period has expired. Please reload the page.