Published on

Authentication Strength

Authors

In this blogpost I will briefly cover authentication combinations and the use case & benefits of Authentication Strength.

Authentication Method Combinations

Different combinations of authentication methods in Entra ID yield different levels of protection.
Phishing-Resistant MFA is the strongest available method for protection against phishing and token theft.

Authentication method combinationMFAPasswordlessPhishing-resistant MFA
Passkey / FIDO2 Security Key
Windows Hello for Business
Certificate-based authentication (Multi-Factor)
Microsoft Authenticator (Phone Sign-in)
Temporary Access Pass
Password + something you have
Federated Multi-Factor
Certificate-based authentication (single-factor)
SMS sign-in
Password

NOTE

MFA - traditional MFA (Microsoft Authenticator with Notification/Number Matching).
Passwordless MFA - satisfies MFA but does not require a password.
Phishing-resistant MFA - requires an interaction between the authentication method and the sign-in surface (hardware-bound).

Authentication Strength

Authentication strength lets us define and use different combinations of authentication methods.
These are then applied in Conditional Access Policies to enforce granular authenticaiton requirements.
This is an example built-in authentication strength from Entra ID:

Phishing-Resistant MFA (built-in method)

Windows Hello For Business
OR
Passkeys (FIDO2)
OR
Certificate-based Authentication (Multifactor)

Another common custom example includes Temporary Access Pass:

Phishing-Resistant MFA + TAP

Windows Hello For Business
OR
Passkeys (FIDO2)
OR
Certificate-based Authentication (Multifactor)
OR
Temporary Access Pass (One-time use)

TIP

Temporary Access Pass is required to support a passwordless onboarding experience for employees.

Create Authentication Strength using Powershell & Microsoft Graph

Use the code below to create a new custom Authentication Strength in Entra ID.
Example below includes WHfB, Passkeys incl. FIDO2 & Temporary Access Pass (one-time use).

create-authentication-strength.ps
# Check if Microsoft.Graph.Identity.SignIns module is installed
if (-not (Get-Module -ListAvailable -Name Microsoft.Graph.Identity.SignIns)) {
    # Install the Microsoft.Graph.Identity.SignIns module if not installed
    Install-Module Microsoft.Graph.Identity.SignIns -Scope CurrentUser -Verbose
} else {
    # Output a message if the module is already installed
    Write-Output "Microsoft.Graph.Identity.SignIns module is already installed."
}

# Check if Microsoft.Graph.Authentication module is installed
if (-not (Get-Module -ListAvailable -Name Microsoft.Graph.Authentication)) {
    # Install the Microsoft.Graph.Authentication module if not installed
    Install-Module Microsoft.Graph.Authentication -Scope CurrentUser -Verbose
} else {
    # Output a message if the module is already installed
    Write-Output "Microsoft.Graph.Authentication module is already installed."
}

# Connect to MS Graph with the specified scope for authentication method policies
Connect-MgGraph -Scopes "Policy.ReadWrite.AuthenticationMethod"

$policy = @{
	displayName = "Phishing-Resistant MFA + TAP"
        description = "WHfB, Passkeys incl. FIDO2 & Temporary Access Pass"
	requirementsSatisfied = "mfa"
	allowedCombinations = @(
	"windowsHelloForBusiness",
        "fido2",
        "temporaryAccessPassOneTime"
)
}

New-MgPolicyAuthenticationStrengthPolicy -BodyParameter $policy

Source: Github

NOTE

Depending on your scenario, one-time use of TAP won't be enough. Be sure to test and verify your onboarding process.

To enforce authentication strength, select it in your conditional access policy: A
Requires Conditional Access Administrator or Security Administrator

Summary

Authentication Strength in Conditional Access has many benefits, some of which include:

  • Ability to utilize adaptive security controls
  • Enforcing Phishing-Resistant MFA granularly
    • All or specific resources
    • All endusers or specific roles