PA-05CriticalEnhanced Security

Require Phishing-Resistant MFA for Admins

Privileged Access control for Microsoft 365 and Entra ID

Why This Control Matters

Traditional MFA (push notifications, SMS) can be bypassed through social engineering and MFA fatigue attacks. Phishing-resistant methods like FIDO2 keys cannot be phished because they require physical presence and cryptographic proof.

Expected State

When this control is compliant, your tenant should meet these criteria:

1All users with privileged roles have registered phishing-resistant MFA
2FIDO2 security keys, Windows Hello for Business, or device-bound passkeys required
3SMS and voice call MFA methods are blocked for admin accounts

Enforcement

Default Mode

Advisory

Alerts on deviations but does not make changes

Auto-Remediation

Manual Only

Requires hardware security key provisioning and Conditional Access policy

Ready to implement this control?

TrueConfig continuously monitors your Microsoft 365 tenant for compliance with this and 50+ other security controls.