Kaido Jarvemets - Logo

Multifactor Authentication Strength in Entra ID


In today’s digital age, securing user accounts and sensitive data is a critical concern for organizations worldwide. To address this challenge, Entra ID provides a range of robust security features, including multi-factor authentication (MFA), conditional access policies, and custom authentication strength. These features can help organizations secure their environments and ensure that only authorized users have access to their resources. Additionally, Entra ID offers various built-in authentication strengths, such as passwordless MFA, Windows Hello for Business, and certificate-based authentication. This blog post will delve into the different authentication methods policies available in Entra ID, the benefits of using stronger authentication methods, and how they help protect against phishing attacks. Furthermore, we’ll explore the user experience of external users and the different authentication methods available to them, such as push notifications, the authenticator app, and custom policies. By the end of this post, you’ll have a better understanding of Entra ID´s security features and how to set up authentication strength policies to safeguard your environment.


  • Entra ID Premium P1 License

What is Multifactor Authentication Strength in Entra ID?

Multifactor Authentication (MFA) is an essential aspect of securing user identities and access to resources. In Entra ID, MFA is implemented through Conditional Access policies. These policies allow organizations to define custom authentication strength requirements for different scenarios and users. With the increasing need for stronger authentication methods, Entra ID offers built-in authentication strengths such as security key, passwordless MFA, and certificate-based authentication. Additionally, Entra ID supports authentication methods policies that can be used to block access to less secure authentication methods. With MFA, organizations can enhance their security posture, reduce the risk of data breaches, and protect their resources from unauthorized access by external users. In this article, we will discuss the concept of Multifactor Authentication Strength in Entra ID and its significance in securing user access.

Why is Multifactor Authentication Strength important for Entra ID?

Multifactor Authentication (MFA) is a crucial security measure for Entra ID to safeguard user accounts against unauthorized access. However, not all MFA methods offer the same level of protection against cyber threats. This is where Multifactor Authentication Strength becomes crucial, as it enables organizations to establish custom policies that necessitate stronger authentication methods based on user risk and other authentication context factors. This is particularly crucial for privileged users who have access to sensitive resources as their accounts are more prone to cyber attacks. By setting custom authentication strength policies, organizations can ensure that only secure authentication methods, including certificate-based authentication and phishing-resistant MFA strength, such as push notifications and authenticator apps, are used to secure user accounts. This will reduce the risk of account compromise and data breaches, making Entra ID a safer platform for all users, including external ones who may be at greater risk of phishing attacks.

How to set up Multifactor Authentication Strength in Entra ID?

To set up Multifactor Authentication Strength in Entra ID, follow these steps:

  1. Go to portal.azure.com and select Entra ID
  2. Choose Security from the menu
  3. Click on Conditional Access
  4. Select “+ Create new policy
  5. On the New Policy page, fill in the following information:
    • Name your policy
    • Choose which Users the policy applies to
    • Select the Cloud Apps you want to protect with the policy
  6. On the Grant page, enable “Require authentication strength” and choose the policy you want to use. If you want to force the use of FIDO2 security keys, select “Phishing resistant MFA” from the list of options.
  7. Enable the policy.
  8. Click Create.


Cross-Tenant Access Settings in Entra ID

Entra ID also allows for configuring cross-tenant access settings through the Entra ID portal. These settings are found under External Identities -> Cross-tenant access settings -> Trust Settings. Trust settings for inbound access determine whether Conditional Access policies will trust the multi-factor authentication (MFA), compliant device, and hybrid Entra ID joined device claims from an external organization if their users have already satisfied these requirements in their home tenants.

For instance, by configuring trust settings to trust MFA, MFA policies are still enforced for external users, but users who have already completed MFA in their home tenants won’t have to complete MFA again in your tenant. By default, trust settings apply to all external Entra ID organizations, except for those with organization-specific settings. If you want to require multifactor authentication or a compliant or hybrid Entra ID joined device for guest users, you must first configure Conditional Access for guest users on all cloud apps.

Custom Authentication Strengths for guest users

Entra ID also allows administrators to create custom authentication strengths for guest users, which can be especially useful in scenarios where external users require different authentication requirements than internal users. Creating a custom authentication strength allows administrators to tailor the authentication experience for guest users and ensure that their access to resources is both secure and efficient. To create a custom authentication strength for guest users, administrators can follow the same steps as for creating a custom authentication strength for internal users, as outlined in the previous section. By creating a custom authentication strength for guest users, administrators can further enhance the security of their Entra ID environment and ensure that external users are accessing resources securely.

  1. Go to the Azure portal (portal.azure.com) and navigate to Entra ID > Security > Authentication methods > Authentication strengths.
  2. Click on “+New Authentication strength“.
  3. On the New Authentication Strength page enter the following information:
    1. Name
    2. Description
  4. Select the authentication methods you want to allow from the available options.
  5. Click on “Next” and review the policy configuration.

PS! If you choose the FIDO2 Security key as one of the available methods for your custom authentication strength, you can further customize it by specifying a list of Authenticator Attestation GUIDs (AAGUIDs). This list will determine which security keys with AAGUIDs are allowed to be used to satisfy this authentication strength. Any security key with an AAGUID not in this list will not be usable to meet this authentication strength. This adds an additional layer of security and control to your authentication process.

Best practices for implementing Multifactor Authentication Strength in Entra ID

When implementing Multifactor Authentication Strength in Entra ID, it is important to follow some best practices to ensure the highest level of security for your organization:

  1. Use Conditional Access policies: Implement conditional access policies to define when MFA is required based on user, device, location, and other factors. This helps to minimize user disruption and provides an extra layer of security when accessing sensitive information.

  2. Leverage Passwordless MFA: Entra ID supports passwordless MFA methods such as security keys, Windows Hello for Business, and the Microsoft Authenticator app. These methods offer strong protection against phishing attacks, which are a common threat to traditional password-based authentication.

  3. Implement Custom Authentication Strength policies: Customize your authentication strength policies based on your organization’s security needs. You can define custom authentication strength policies that require MFA for specific users or groups, based on their level of risk.

  4. Train Users on Authentication Methods: Educate your users on the importance of MFA and the different authentication methods available. This helps to ensure that they understand the risks associated with their accounts and are using secure authentication methods.

  5. Monitor User Risk: Monitor user risk levels to identify potential security threats and respond quickly. Entra ID provides a User Risk Policy that evaluates user behavior and prompts MFA when unusual activity is detected.

By following these best practices, you can help to secure your organization’s data and ensure that your users are using secure authentication methods.


In conclusion, implementing a multifactor authentication strength policy is a critical step towards securing your organization’s resources and data in Entra ID. With the increasing number of cyberattacks and phishing attempts, having a strong authentication method for both internal and external users is essential. Entra ID offers a variety of built-in authentication strengths and methods, including passwordless MFA, security keys, and Windows Hello for Business. Additionally, you can create custom policies that fit your organization’s specific needs and improve the user experience with push notifications and authenticator apps. By taking advantage of these tools, you can reduce the risk of unauthorized access to your resources and protect your organization from potential security breaches.

Leave a Reply

Contact me

If you’re interested in learning about Multifactor Authentication Strength in Entra ID. I can help you understand how this solution can benefit your organization and provide a customized solution tailored to your specific needs.

Table of Contents