Beyond Passwords: Microsoft Entra ID Authentication Strength
Strengthen Your Security with Microsoft Entra ID Conditional Access Authentication Strength
In today’s ever-evolving digital landscape, organizations need more than just usernames and passwords to protect their assets. Microsoft Entra ID’s Conditional Access policies provide a powerful layer of protection, and a key feature in that toolkit is Authentication Strength. But what exactly is it? And how can you use it to tailor access to your most sensitive resources?
Let’s break it down.
What is Authentication Strength?
Authentication strength is a Conditional Access control that determines which combinations of authentication methods are acceptable to access specific resources. Think of it as a way to enforce stronger or more secure sign-ins based on what’s being accessed or who’s accessing it.
For example:
You might require phishing-resistant authentication (like FIDO2 or Windows Hello for Business) to access a financial system. For lower-risk resources, a combination like password + SMS might be enough.
How Does It Work?
Authentication strength builds on the Authentication Methods policy, where you define which methods are available to users or groups. Once those are set, authentication strength lets you enforce specific method combinations in different access scenarios, such as:
Accessing sensitive resources
Signing in from outside the corporate network
Responding to user risk levels
Granting access to external guests
Real-World Scenarios
Here are a few examples where authentication strengths shine:
Sensitive Data Protection: Require FIDO2 or certificate-based MFA for apps with confidential data.
Geo-Aware Access: Enforce stronger methods like passwordless sign-in when users access resources from outside your organization’s trusted locations.
High-Risk User Protection: For users marked as high-risk, only allow phishing-resistant MFA.
Guest Access: Combine with cross-tenant settings to require stricter methods from guest users.
Built-In Authentication Strengths
Microsoft provides three built-in authentication strengths that you can use right away:
Strength Type
Example Method
MFA strength
Password + Authenticator, SMS, Voice call
Passwordless MFA
Microsoft Authenticator (Phone sign-in), FIDO2
Phishing-resistant MFA
FIDO2, WHfB, Certificate-based Auth (multi)
Each of these contains pre-approved combinations of methods that are aligned with best practices for modern authentication. Want more control? You can also create custom strengths to allow specific combinations that align with your organization’s unique security requirements.
Important Limitations to Know
A few things to keep in mind:
Authentication strength applies after initial sign-in – users may initially log in with a password, but they won’t get access until they meet the required strength.
Don’t combine "Require MFA" and "Require Authentication Strength" in the same policy – they conflict.
Email OTP isn’t supported in authentication strength.
Platform-specific quirks – e.g., Windows Hello for Business must be used from the start of the session to meet the policy.
Best Practices
To effectively use authentication strengths:
Scope your Authentication Methods Policy first to define available methods per group/user.
Use built-in strengths for quick wins.
Create custom strengths when unique combinations are needed.
Combine authentication strength with sign-in frequency and authentication context for maximum control.
Educate your users on available sign-in options and required methods for sensitive apps.
Quick Example: Contoso Case Study
Imagine Contoso allows its users to sign in with Microsoft Authenticator using either push notifications or passwordless mode. Most apps are accessible with push + password, but for its HR system, they enforce passwordless only. How?
They….
Set “Any” mode for Microsoft Authenticator in the Authentication Methods policy.
Use a Conditional Access policy with Passwordless MFA Strength for the HR system.
The result? Flexible yet secure access across the organization.
Final Thoughts
Authentication Strength in Conditional Access is a game-changer. It brings granular control to your identity strategy, letting you balance security and user experience based on context, sensitivity, and risk.
