Authentication Strengths in Microsoft Entra ID allows you to granularly define authentication requirements for different situations.

Before authentication strengths were available, authentication requirements were defined globally for the entire tenant, and then conditional access policies could just say that multi-factor authentication was required, for example. But it was not possible to define what type of multifactor authentication was required. So anything that was available globally could be used by all users in all situations.

Which was not optimal. There are situations where a less secure authentication method like SMS or TOTP might be enough. But there are situations where we only want to use very secure authentication methods like FIDO2 when someone is logging into a global admin account for example.

Such granularity was not possible before. If SMS authentication was enabled for a given tenant, even the global admin could use SMS for authentication.

Benefits of authentication strengths

With authentication strengths, it is possible to define different groups of authentication methods and then associate them with conditional access policies. So in a tenant globally, SMS or phone call authentication may be available, but some situations, such as the aforementioned authentication to highly privileged accounts, will require other more secure methods.

Available authentication strengths

There are three predefined authentication strength groups in all tenants by default.

The first group is called Multifactor authentication and allows all possible authentication methods available in Microsoft Entra ID. Including single factor authentication methods.

The second group is Passwordless authentication, which defines all authentication methods that fall under passwordless authentication. This includes Windows Hello for Business, Passkeys (FIDO2), Certificate-based authentication and Microsoft Authenticator in the phone sign-in mode.

The last predefined group is Phishing-resistant MFA, which defines only methods that are resistant to phishing. This includes Windows Hello for Business, Passkeys (FIDO2), and Certificate-based authentication.

You can create additional authentication strengths. I recommend to have some kind of base group that will define a kind of baseline for standard users and standard authentication scenarios. That’s generally where I put the whole phishing-resistant authentication group (because that’s the most secure type of authentication), also the passwordless authentication group, and then the selected methods I want to have enabled, which is usually Temporary Access Pass (one-time use) and Password + Microsoft Authenticator in push notification mode.

You can then use these individual authentication strengths in conditional access policies. Under Grant, you must uncheck Require multifactor authentication and check the Require authentication strength option to select one of the available authentication strengths.

Migrate from Require MFA to Require authentication strength

To improve security, I recommend that you define your own authentication strengths for different scenarios based on your requirements and expectations, and that you modify all conditional access policies that require MFA to require a specific authentication strength. It is a good idea to get rid of the generic Require multifactor authentication and migrate fully to authentication strengths.