🛡️ Essential 8 Guide

Multi-factor authentication is used to authenticate unprivileged users of systems

Summary

Multi-factor authentication is used to authenticate unprivileged users, mitigating credential theft by enforcing a Conditional Access policy in Microsoft Entra ID that requires MFA at sign-in¹. The policy can combine MFA with additional controls, such as device compliance and hybrid join, to strengthen access security².

The Conditional Access grant control used should align with the required maturity level. At Maturity Level 2, the standard Require multi-factor authentication grant (or the built-in Multifactor authentication strength) is sufficient. At Maturity Level 3, the grant must be changed to Require authentication strength → Phishing-resistant MFA, which restricts acceptable methods to FIDO2 security keys, Windows Hello for Business (hardware TPM), certificate-based authentication, or device-bound passkeys — and excludes SMS OTP, push notifications, and OATH tokens.³⁴

Justification

Not provided in source documentation.

Design Decision

[!NOTE] The Conditional Access policy requiring multifactor authentication will be created in the Entra ID Portal to enforce MFA for user sign-ins. It will apply the grant control Require multifactor authentication to all users accessing all resources.

Prerequisites

• Licensing:
  • A Microsoft Entra ID P1 license is required to implement Conditional Access policies that require MFA. ⁵
  • For phishing-resistant passwordless deployment with Microsoft Entra ID, a Microsoft Entra ID P1 license is recommended. ⁶
• Permissions/Roles:
  • Sign in to the Microsoft Entra admin center as at least a Conditional Access Administrator to create and manage policies. ²
  • For phishing-resistant passwordless deployment, the recommended least privileged roles include User Administrator, Authentication Administrator, Authentication Policy Administrator, and User. ⁶
• Dependencies:
  • Access to the Microsoft Entra admin center to configure Conditional Access policies; ensure you can sign in and access the Entra ID administration experience. ²

Implementation Steps

Create conditional access policy requiring multifactor authentication in Entra ID Portal

1. Sign in to the Microsoft Entra admin center as at least a Conditional Access Administrator.¹
2. Browse to Entra ID > Conditional Access > Policies.¹
3. Select New policy.¹
4. Name the policy. We recommend that organizations create a meaningful standard for the names of their policies.¹
5. Under Assignments, select Users or workload identities.
   • Under Include, select All users.
   • Under Exclude: select emergency access or break-glass accounts. If you use hybrid identity solutions like Microsoft Entra Connect or Microsoft Entra Connect Cloud Sync, select Directory roles, then select Directory Synchronization Accounts.¹
6. Under Target resources > Resources (formerly cloud apps) > Include, select All resources (formerly ‘All cloud apps’).
   • If you must exclude specific applications from your policy, you can choose them from the Exclude tab under Select excluded cloud apps and choose Select.¹
7. Under Access controls > Grant:
   • Select Require multifactor authentication, Require device to be marked as compliant, and Require Microsoft Entra hybrid joined device.
   • For multiple controls select Require one of the selected controls.
   • Select Select.¹
8. Confirm your settings and set Enable policy to Report-only.¹
9. Select Create to create to enable your policy. After confirming, move the Enable policy toggle from Report-only to On.¹

Note You can enroll your new devices to Intune even if you select Require device to be marked as compliant for All users and All resources (formerly ‘All cloud apps’) using the previous steps. Require device to be marked as compliant control doesn’t block Intune enrollment and the access to the Microsoft Intune Web Company Portal application. ¹

MFA grant control by maturity level

[!NOTE] To use the Require authentication strength grant, the CA policy must be created and assigned with a Microsoft Entra ID P1 (or higher) license. The built-in Phishing-resistant MFA strength is available in all tenants with P1 licensing and requires no additional configuration.⁴

[!NOTE] Guest and external users: Entra ID cannot register phishing-resistant methods for guests in the resource tenant. If B2B collaboration is in scope, configure a cross-tenant inbound trust in the External Identities settings so that phishing-resistant MFA completed in the guest’s home tenant satisfies the policy in your tenant.³

Additional related information

• Plan a phishing-resistant passwordless authentication deployment in Microsoft Entra ID provides planning and deployment steps for phishing-resistant credentials Plan a phishing-resistant passwordless authentication deployment in Microsoft Entra ID
• Get started with phishing-resistant passwordless authentication deployment in Microsoft Entra ID covers prerequisites and licensing guidance for passwordless deployment Get started with phishing-resistant passwordless authentication deployment in Microsoft Entra ID
• Microsoft Entra certificate-based authentication technical concepts explains how CBA works with Conditional Access authentication strength for phishing-resistant access Microsoft Entra certificate-based authentication technical concepts
• ISM Controls and multifactor authentication Maturity Levels provides MFA guidance and mapping to IsM levels for creating CA policies ISM Controls and multifactor authentication Maturity Levels
• Microsoft Entra ID and PCI-DSS Requirement 8 covers phishing-resistant MFA requirements in PCI-DSS compliant environments Microsoft Entra ID and PCI-DSS Requirement 8
• Security domain: operational security covers MFA enforcement and logging requirements for remote access and admin interfaces Security domain: operational security