PA-06CriticalMaximum Security

Require FIDO2 Security Keys for Administrators

Privileged Access control for Microsoft 365 and Entra ID

Why This Control Matters

Hardware security keys provide the highest authentication assurance. Unlike software-based MFA, keys cannot be phished, cloned, or remotely compromised. Level 3 mandates this protection for all admin access.

Expected State

When this control is compliant, your tenant should meet these criteria:

1All users with privileged roles have registered FIDO2 security keys
2Each admin has at least 2 keys registered (primary + backup)
3PIM activation requires FIDO2 authentication

Enforcement

Default Mode

Strict

Zero-tolerance enforcement with immediate remediation

Auto-Remediation

Manual Only

Requires hardware security key procurement and registration

Ready to implement this control?

TrueConfig continuously monitors your Microsoft 365 tenant for compliance with this and 50+ other security controls.