Azure Authentication Methods¶
The Microsoft Entra admin center allows IT administrators to manage and configure how users authenticate when accessing organizational resources. It consolidates legacy MFA and SSPR settings into a unified policy framework.
Info
On September 30th, 2025, the legacy multifactor authentication (MFA) and self-service
password reset (SSPR) policies were deprecated in favour of the new system using Entra
Admin Center Authentication Methods.
Authentication Method Policy Best Practices¶
Strategic Principles
- Enable diversity: Offer multiple secure methods to accommodate different user contexts (e.g., frontline workers vs. engineers).
- Prioritize phishing-resistant options: FIDO2, certificate-based auth, and Temporary Access Pass are top-tier.
- Minimize legacy reliance: SMS and voice are vulnerable to interception and should be phased out.
- Use conditional targeting: Apply methods to specific groups based on risk, role, and device availability.
- Monitor and iterate: Track usage and adapt policies as user behavior and threat landscapes evolve.
Ranked Authentication Methods¶
| Rank | Method | Description | Best Use Case | Best Practice Notes |
|---|---|---|---|---|
| 1️⃣ | FIDO2 Security Key | Hardware-based, phishing-resistant credential | High-security roles, shared workstations | Enable for admins and privileged users; supports passwordless strategy |
| 2️⃣ | Temporary Access Pass | Time-limited pass for onboarding or recovery New hires, lost credentials | Use for just-in-time access; pair with FIDO2 rollout | |
| 3️⃣ | Certificate-Based Auth | Uses device or user certificates for strong identity validation | Managed devices, VPN access | Ideal for hybrid environments; requires PKI setup |
| 4️⃣ | Software OATH Tokens | App-based TOTP (e.g., Microsoft Authenticator) | BYOD users, mobile-first teams | Enable for general workforce; supports MFA without hardware |
| 5️⃣ | Hardware OATH Tokens | Physical token generating TOTP codes | Users without smartphones | Use for accessibility or secure facilities; manage distribution carefully |
| 6️⃣ | QR Code | Visual code scanned for authentication Kiosk or shared device scenarios | Use in controlled environments; not widely supported yet | |
| 7️⃣ | Email OTP | One-time passcode sent via email | Low-risk users, fallback method | Avoid for high-risk roles; email compromise risk |
| 8️⃣ | SMS | One-time passcode sent via text message | Legacy support, fallback | Phase out gradually; vulnerable to SIM swap attacks |
| 9️⃣ | Voice Call | Phone call delivers passcode | Accessibility needs | Use only when other methods are unavailable |
| 🔟 | Password | Traditional username/password combo | Baseline access | Should be paired with MFA; consider passwordless alternatives |