Require Phishing-Resistant MFA for All Users
Identity & Authentication control for Microsoft 365 and Entra ID
Why This Control Matters
Phishing attacks can bypass traditional MFA. At Level 3, the entire organization uses authentication methods that cryptographically prove user presence, eliminating MFA bypass attacks entirely.
Expected State
When this control is compliant, your tenant should meet these criteria:
- 1All users must use phishing-resistant MFA (FIDO2, Windows Hello, passkeys)
- 2SMS and voice call authentication methods are disabled tenant-wide
- 3Push notification MFA is disabled or only allowed with number matching
Enforcement
Zero-tolerance enforcement with immediate remediation
One-click fix creates a report-only Conditional Access policy requiring phishing-resistant MFA for all users (break-glass and TrueConfig service principal excluded). Review report-only sign-in impact and confirm broad FIDO2/passkey registration before switching the policy to enforced.
Ready to implement this control?
TrueConfig continuously monitors your Microsoft 365 tenant for compliance with this and 50+ other security controls.