ID-04CriticalMaximum Security

Require Phishing-Resistant MFA for All Users

Identity & Authentication control for Microsoft 365 and Entra ID

Why This Control Matters

Phishing attacks can bypass traditional MFA. At Level 3, the entire organization uses authentication methods that cryptographically prove user presence, eliminating MFA bypass attacks entirely.

Expected State

When this control is compliant, your tenant should meet these criteria:

  • 1All users must use phishing-resistant MFA (FIDO2, Windows Hello, passkeys)
  • 2SMS and voice call authentication methods are disabled tenant-wide
  • 3Push notification MFA is disabled or only allowed with number matching

Enforcement

Default Mode
Strict

Zero-tolerance enforcement with immediate remediation

Auto-Remediation
Manual Only

One-click fix creates a report-only Conditional Access policy requiring phishing-resistant MFA for all users (break-glass and TrueConfig service principal excluded). Review report-only sign-in impact and confirm broad FIDO2/passkey registration before switching the policy to enforced.

Ready to implement this control?

TrueConfig continuously monitors your Microsoft 365 tenant for compliance with this and 50+ other security controls.