Multi-Factor Authentication (MFA)

Multi-factor authentication (MFA) is one of the most effective defences against identity-based attacks. Microsoft reports that MFA blocks more than 99.9% of account compromise attacks. In Entra ID, MFA is deeply integrated with Conditional Access and can be deployed across an organisation with minimal friction.

---

What Is Multi-Factor Authentication?

MFA requires users to provide two or more verification factors from different categories:

Factor Category	Description	Examples
Something you know	A secret the user memorises	Password, PIN
Something you have	A physical object the user possesses	Phone, hardware key, smart card
Something you are	A biometric characteristic	Fingerprint, facial recognition

A sign-in that requires a password (something you know) and an authenticator app notification (something you have) is two-factor authentication — the most common form of MFA.

---

MFA Methods in Entra ID

Entra ID supports several second-factor methods:

Microsoft Authenticator App

The recommended method. It supports:

• Push notifications — the user approves or denies a sign-in on their phone
• Number matching — the user must enter a number displayed on the sign-in screen (phishing-resistant)
• Passwordless sign-in — the app replaces the password entirely

FIDO2 Security Keys

Hardware security keys (e.g., YubiKey) that provide phishing-resistant authentication:

• No shared secret that can be intercepted
• Bound to the specific site origin (prevents man-in-the-middle attacks)
• Works with Windows Hello for Business, macOS, and modern browsers

Windows Hello for Business

A platform-based credential for Windows devices:

• Uses biometrics (face, fingerprint) or a PIN
• Credentials are bound to the device and never leave it
• Considered phishing-resistant

Certificate-Based Authentication

Uses X.509 certificates (typically on smart cards or virtual smart cards):

• Common in government and highly regulated industries
• Can be used as both the primary and second factor

SMS and Voice Calls

• SMS — a one-time code sent to the user's phone
• Voice call — an automated call that asks the user to press # to verify

These methods are less secure than the others because they are vulnerable to SIM-swapping and telephony interception. Microsoft recommends moving away from SMS-based MFA.

OATH Tokens

• Software OATH — time-based one-time passwords (TOTP) from any authenticator app
• Hardware OATH — physical tokens that generate TOTP codes

---

Deploying MFA

Method 1: Per-User MFA (Legacy)

The legacy approach enables MFA on a per-user basis:

1. Navigate to Entra ID > Users > Per-user MFA
2. Select users and set their MFA status to Enabled or Enforced

This method is not recommended because it lacks the flexibility of Conditional Access and applies MFA to all sign-ins without context.

Method 2: Conditional Access (Recommended)

Use Conditional Access policies to require MFA based on context:

• Require MFA for all users accessing all cloud apps
• Require MFA only when signing in from untrusted locations
• Require MFA only for privileged roles

This approach is more flexible and aligns with zero-trust principles.

Method 3: Security Defaults

For organisations that do not have Entra ID P1, Security Defaults provide baseline protection: