Note
Access to this page requires authorization. You can try signing in or .
Access to this page requires authorization. You can try .
Configure Essential Eight MFA authentication strengths
This article provides guidance on configuring the authentication strengths that users are allowed to use when authenticating at a given maturity level. The authentication strengths defined in this section are used to define the Essential Eight MFA conditional access policy.
To configure the authentication strength:
- Browse to the Microsoft Entra admin center > Microsoft Entra admin center.
- Select Protection > Authentication methods > Authentication strengths.
- Select New authentication strength.
- Configure the strengths for the required maturity level using the following table as a guide.
- Select Next > Select Create.
This table outlines the authentication strengths that are available for each maturity level.
| Category | Authentication strength | Maturity Level 1 | Maturity Levels 2 & 3 |
|---|---|---|---|
| Phishing-resistant MFA | Windows Hello For Business | 👁 Yes. |
👁 Yes. |
| Passkeys (FIDO2) | 👁 Yes. |
👁 Yes. |
|
| Certificate-based Authentication (Multi-factor) | 👁 Yes. |
👁 Yes. |
|
| Passwordless MFA | Microsoft Authenticator (Phone Sign-in) | 👁 Yes. |
👁 No. |
| Multifactor authentication | Temporary Access Pass (One-time use)1 | 👁 Yes. |
👁 Yes. |
| Temporary Access Pass (Multi-use)1 | 👁 Yes. |
👁 Yes. |
|
| Password + Microsoft Authenticator (Push Notification) | 👁 Yes. |
👁 No. |
|
| Password + Software OATH token | 👁 Yes. |
👁 No. |
|
| Password + Hardware OATH token | 👁 Yes. |
👁 No. |
|
| Password + SMS | 👁 Yes. |
👁 No. |
|
| Password + Voice | 👁 Yes. |
👁 No. |
|
| Federated Multi factor | 👁 Yes. |
👁 No. |
|
| Federated Single factor + Microsoft Authenticator (Push Notification) | 👁 Yes. |
👁 No. |
|
| Federated Single factor + Software OATH token | 👁 Yes. |
👁 No. |
|
| Federated Single factor + Hardware OATH token | 👁 Yes. |
👁 No. |
|
| Federated Single factor + SMS | 👁 Yes. |
👁 No. |
|
| Federated Single factor + Voice | 👁 Yes. |
👁 No. |
|
| Single factor authentication | Certificate-based Authentication (Single factor) | 👁 No. |
👁 No. |
| SMS | 👁 No. |
👁 No. |
|
| Password | 👁 No. |
👁 No. |
|
| Federated Single factor | 👁 No. |
👁 No. |
1 Ensure that help desk staff adequately verify the identity of the user when issuing the temporary access pass.
Next steps
Feedback
Was this page helpful?