ID-04CriticalMaximum Security

Require Phishing-Resistant MFA for All Users

Identity & Authentication control for Microsoft 365 and Entra ID

Why This Control Matters

Phishing attacks can bypass traditional MFA. At Level 3, the entire organization uses authentication methods that cryptographically prove user presence, eliminating MFA bypass attacks entirely.

Expected State

When this control is compliant, your tenant should meet these criteria:

1All users must use phishing-resistant MFA (FIDO2, Windows Hello, passkeys)
2SMS and voice call authentication methods are disabled tenant-wide
3Push notification MFA is disabled or only allowed with number matching

Enforcement

Default Mode

Strict

Zero-tolerance enforcement with immediate remediation

Auto-Remediation

Available

Enables FIDO2 and passkey authentication methods. Users still need to register their own security keys.

Ready to implement this control?

TrueConfig continuously monitors your Microsoft 365 tenant for compliance with this and 50+ other security controls.