ID-04: Require Phishing-Resistant MFA for All Users
Overview
At the Maximum Security baseline, every user in the tenant must authenticate with phishing-resistant MFA - FIDO2 security keys, Windows Hello for Business, or passkeys. This is a mandatory Level 3 requirement, not an optional upgrade. You enable the phishing-resistant methods, disable weak methods (SMS and voice), and then enforce the requirement organization-wide with an authentication-strength Conditional Access policy.
Why This Matters: Phishing attacks can bypass traditional MFA. At Level 3, the entire organization uses authentication methods that cryptographically prove user presence, eliminating MFA bypass attacks entirely. SMS, voice, and standard push notifications can be intercepted or defeated with MFA-fatigue and social-engineering attacks; phishing-resistant methods cannot.
Control ID: ID-04 Category: Identity & Authentication Baseline Level: Level 3 (Maximum Security) Severity: Critical License Required: Microsoft Entra ID P1 (for the Conditional Access enforcement policy) Remediation: One-click / auto-remediable (enables the FIDO2 and passkey methods; users still register their own keys)
Expected State
- All users must use phishing-resistant MFA (FIDO2, Windows Hello, passkeys)
- SMS and voice call authentication methods are disabled tenant-wide
- Push notification MFA is disabled or only allowed with number matching
Types of Phishing-Resistant Authentication:
| Method | Device | Best For |
|---|---|---|
| FIDO2 Security Keys | Hardware USB/NFC key | High-security users, shared devices |
| Microsoft Authenticator Passkey | Mobile phone | General workforce |
| Windows Hello for Business | Windows PC | Windows-centric environments |
| Platform Passkeys | macOS/iOS/Android | Cross-platform users |
Types of Passwordless Authentication:
| Method | Device | Best For |
|---|---|---|
| FIDO2 Security Keys | Hardware USB/NFC key | High-security users, shared devices |
| Microsoft Authenticator Passkey | Mobile phone | General workforce |
| Windows Hello for Business | Windows PC | Windows-centric environments |
| Platform Passkeys | macOS/iOS/Android | Cross-platform users |
Prerequisites
Required Roles
- Global Administrator or Authentication Policy Administrator - to configure authentication methods
- User Administrator - to assign users to groups
License Requirements
| Feature | License |
|---|---|
| FIDO2 security keys | Free (no license required) |
| Microsoft Authenticator passkeys | Free (no license required) |
| Windows Hello for Business (cloud) | Free (no license required) |
| Windows Hello for Business (hybrid) | Microsoft Entra ID P1 or P2 |
| Conditional Access for enforcement | Microsoft Entra ID P1 |
Note: Enabling the methods is free, but this Level 3 control is only met when the requirement is enforced for all users via a Conditional Access authentication-strength policy, which requires Microsoft Entra ID P1. The enforcement step (Step 9) is required, not optional.
Hardware Requirements
FIDO2 Security Keys:
- FIDO2-certified security key (USB-A, USB-C, or NFC)
- Examples: YubiKey 5 series, Google Titan, Feitian, AuthenTrend
- Budget: $25-70 per key
- Recommendation: Two keys per user (primary + backup)
Microsoft Authenticator:
- iOS 14+ or Android 8+
- Biometric capability (Face ID, Touch ID, fingerprint)
- Current version of Microsoft Authenticator app
Windows Hello for Business:
- Windows 10 version 1903+ or Windows 11
- TPM 2.0 chip
- Biometric hardware (camera for facial recognition, fingerprint reader) or PIN support
Pre-Checks
- Verify your users have compatible devices
- If using FIDO2 keys, ensure procurement process is in place
- Test that target applications support passwordless authentication
- Verify Azure AD/Entra ID configuration allows FIDO2
Time Estimate
| Task | Duration |
|---|---|
| Configure authentication method policies | 30 minutes |
| Pilot with IT/security team | 1-2 weeks |
| Procure hardware (if using FIDO2 keys) | 1-2 weeks |
| User training and documentation | 1-2 hours |
| Phased rollout | 2-4 weeks |
| Full deployment | Ongoing |
Total: 4-8 weeks for initial deployment
Step-by-Step Instructions
Step 1: Enable FIDO2 Security Keys
Navigation: Entra admin center > Protection > Authentication methods > Policies
- Sign in to the Microsoft Entra admin center
- Navigate to Protection > Authentication methods > Policies
- Click FIDO2 security key
Configure the following:
-
Enable: Set to Yes
-
Target:
- For pilot: Select Include > Select users and groups > Choose pilot group
- For full rollout: Select All users
-
Configure: Click to expand settings
Key restriction policy:
- Enforce key restrictions: Yes (recommended for enterprise)
- Restrict specific keys:
- Allow: Only allow approved key manufacturers (recommended)
- Block: Block specific keys known to have issues
Allowed AAGUIDs (if restricting keys):
Add the AAGUIDs for approved security keys. Common examples:
YubiKey 5 Series:
cb69481e-8ff7-4039-93ec-0a2729a154a8 (YubiKey 5 NFC)
ee882879-721c-4913-9775-3dfcce97072a (YubiKey 5C)
fa2b99dc-9e39-4257-8f92-4a30d23c4118 (YubiKey 5Ci)
Google Titan:
42b4fb4a-2866-43b2-9bf7-6c6669c2e5d3 (Titan USB-A)
Feitian:
77010bd7-212a-4fc9-b236-d2ca5e9d4084 (various models)
Note: Find AAGUIDs at https://fidoalliance.org/metadata/ or from your key vendor.
-
Allow self-service set up: Yes (allows users to register their own keys)
-
Click Save
Step 2: Enable Microsoft Authenticator Passkeys
Navigation: Entra admin center > Protection > Authentication methods > Policies
- Navigate to Protection > Authentication methods > Policies
- Click Microsoft Authenticator
Configure the following:
-
Enable: Set to Yes
-
Target:
- Select All users (or specific groups for phased rollout)
-
Configure: Click to expand settings
-
Authentication mode:
- Select Passwordless to enable passkey functionality
- Or select Any to allow both push notifications and passwordless
-
Require number matching: Enabled (required for security)
-
Show application name: Enabled (helps users verify legitimate requests)
-
Show geographic location: Enabled (helps detect suspicious access)
-
Microsoft Authenticator on companion applications: Choose based on needs
-
Click Save
Step 3: Configure Windows Hello for Business (Optional)
For organizations using Windows devices, enable Windows Hello for Business:
Cloud-Only Deployment:
Navigation: Entra admin center > Devices > Device settings
- Navigate to Devices > Overview > Device settings
- Under Azure AD Join:
- Require Multi-Factor Authentication to register or join devices: Yes
- Navigate to Devices > Enrollment > Windows Hello for Business
Note: For cloud-only, Windows Hello is configured during device setup or via Intune.
For Intune-Managed Devices:
- Sign in to Microsoft Intune admin center
- Navigate to Devices > Enrollment > Windows Hello for Business
- Configure Windows Hello for Business: Enable
- Configure settings:
- Use a Trusted Platform Module (TPM): Required
- Minimum PIN length: 6 (or higher)
- Use biometrics: Yes
- Allow enhanced anti-spoofing: Yes
Step 4: Create a Pilot Group
Start with a small group before organization-wide rollout:
- Navigate to Identity > Groups > All groups
- Click New group
- Configure:
- Group type: Security
- Group name:
Passwordless Pilot Users - Group description:
Users testing FIDO2 and passkey authentication - Membership type: Assigned
- Add pilot members (recommend IT/security team first)
- Click Create
Step 5: Guide Users to Register Passwordless Methods
For FIDO2 Security Key Registration:
Provide these instructions to users:
- Go to https://aka.ms/mysecurityinfo
- Sign in with your work account (you'll need your current password)
- Click + Add sign-in method
- Select Security key from the dropdown
- Choose your key type:
- USB device for USB security keys
- NFC device for NFC-enabled keys
- Click Next
- Insert your security key when prompted
- When the key's light blinks or button lights up, touch it to confirm
- Create a friendly name for the key (e.g., "YubiKey Primary" or "Backup Key")
- Click Done
Register a backup key: Repeat the process with a second key. Store the backup securely.
For Microsoft Authenticator Passkey Registration:
- Ensure Microsoft Authenticator is installed and updated on your phone
- Go to https://aka.ms/mysecurityinfo
- Sign in with your work account
- Click + Add sign-in method
- Select Authenticator app
- If you already have Authenticator set up for MFA, select Add sign-in method and choose Passkey
- Follow the prompts to link your phone
- Enable passwordless sign-in:
- Open Microsoft Authenticator on your phone
- Tap your work account
- Tap Set up phone sign-in or Enable phone sign-in
- Follow the prompts to complete setup
Step 6: Test Passwordless Sign-In
Have pilot users test the complete flow:
FIDO2 Security Key Test:
- Go to https://portal.office.com or any Microsoft sign-in page
- Enter your email address
- Instead of entering a password, click Sign in with a security key or Other ways to sign in
- Select Security key
- Insert your security key
- Touch the key when prompted
- You should be signed in without entering a password
Microsoft Authenticator Test:
- Go to https://portal.office.com
- Enter your email address
- Click Sign in with Microsoft Authenticator or Use an app instead
- A number appears on screen
- Open Microsoft Authenticator on your phone
- Tap the notification and select the matching number
- Authenticate with biometric or PIN on your phone
- You should be signed in
Step 7: Roll Out to Broader Groups
After successful pilot:
- Return to Protection > Authentication methods > Policies
- For each method (FIDO2, Authenticator), update the Target to include more groups or all users
- Send user communications with registration instructions
- Offer registration assistance sessions
Phased Rollout Recommendation:
| Week | Group | Size |
|---|---|---|
| 1-2 | IT & Security | 10-20 users |
| 3-4 | Early adopters | 50-100 users |
| 5-6 | Department by department | 100+ users |
| 7+ | All remaining users | Everyone |
Step 8: Disable Weak Authentication Methods (Required)
This control requires SMS and voice call methods to be disabled tenant-wide, and push notifications to be limited to number matching. Do this only after users have registered a phishing-resistant method, or they will be locked out.
Navigation: Entra admin center > Protection > Authentication methods > Policies
- Click SMS > set Enable to No (or scope it out to a small exception group)
- Click Voice call > set Enable to No
- Confirm Microsoft Authenticator has Require number matching set to Enabled (configured in Step 2) so any remaining push-based MFA is number-matched
- Verify FIDO2 and passkey methods are enabled and adopted before enforcing
Step 9: Enforce Phishing-Resistant MFA for All Users (Required)
This is the enforcement step that makes ID-04 met. It requires an authentication-strength Conditional Access policy covering all users (not just admins).
Navigation: Entra admin center > Protection > Conditional Access > Policies
-
Click + Create new policy
-
Name:
Require Phishing-Resistant MFA - All Users -
Assignments - Users:
- Include: All users
- Exclude: Emergency access accounts (break-glass)
-
Assignments - Target resources:
- All cloud apps
-
Grant:
- Select Grant access
- Check Require authentication strength
- Select Phishing-resistant MFA (built-in) or create a custom strength allowing only FIDO2, Windows Hello, and passkeys
-
Enable policy: Start in Report-only to confirm coverage, then switch to On. Do not leave it in report-only - the control is only met when the policy is enforced.
-
Click Create
Rollout guidance: Confirm phishing-resistant registration is high (see Step 10 monitoring) before turning the policy On, and keep break-glass accounts excluded so a misconfiguration cannot lock everyone out.
Step 10: Monitor Passwordless Adoption
Navigation: Entra admin center > Protection > Authentication methods > Activity
- Navigate to Protection > Authentication methods
- Click Activity
- Review the Registration tab:
- Track FIDO2 key registrations
- Track passwordless Authenticator setup
- Identify users who haven't registered
Sign-in Logs Analysis:
- Navigate to Identity > Monitoring & health > Sign-in logs
- Add filter: Authentication method
- Look for entries showing:
- FIDO2 security key
- Microsoft Authenticator (passwordless)
- Windows Hello for Business
Verification Checklist
After enabling passwordless authentication:
- FIDO2 security key policy is enabled
- Microsoft Authenticator passwordless is enabled
- Key restrictions are configured (if using approved key list)
- Number matching is enabled for Authenticator
- SMS and voice call methods are disabled tenant-wide (or scoped to a documented exception group)
- Pilot users have successfully registered and tested
- Registration documentation is available to users
- Backup key registration is enforced for FIDO2 users
- Conditional Access authentication-strength policy requiring phishing-resistant MFA for all users is enabled (On, not report-only), with break-glass accounts excluded
- Help desk is trained on passwordless troubleshooting
- Adoption metrics are being tracked
Troubleshooting
Security Key Not Recognized
Problem: Computer doesn't detect the security key
Solutions:
- Try a different USB port (directly on computer, not a hub)
- Ensure the key is fully inserted
- Try a different browser (Edge or Chrome recommended)
- Install security key drivers if prompted
- Verify the key is FIDO2 certified (not just FIDO U2F)
- Test the key on another computer to rule out hardware failure
"This security key isn't supported" Error
Problem: Key is blocked by policy
Solutions:
- Check if key restrictions are enabled
- Verify the key's AAGUID is in the allowed list
- Add the key's AAGUID to the allow list if it's an approved model
- Contact IT if you have an unapproved key model
Authenticator Passwordless Not Working
Problem: User can't enable phone sign-in
Solutions:
- Verify Microsoft Authenticator is updated to latest version
- Ensure the phone has biometric capability enabled
- Check that the phone has a screen lock configured
- Re-add the work account in Authenticator
- Ensure passwordless is enabled in the authentication method policy
User Can't Register - "You don't have permission"
Problem: User is not in the target group
Solutions:
- Verify the user is included in the authentication method policy
- Check if the user is in an excluded group
- Verify the policy is set to allow self-service registration
- Wait 15-30 minutes for policy propagation
Passwordless Works in Browser But Not Desktop Apps
Problem: Older Office applications don't support passwordless
Solutions:
- Ensure Office is updated to current version (Microsoft 365 Apps)
- Verify Modern Authentication is enabled for Exchange Online
- Check if the app supports WebAuthN
- Some legacy apps may still require password fallback
Lost or Stolen Security Key
Problem: User lost their FIDO2 security key
Immediate Actions:
- User should sign in using backup key or alternative method
- Navigate to https://aka.ms/mysecurityinfo
- Remove the lost key from security info
- If no backup method available, help desk must perform manual reset
- Issue replacement key and register it
- Consider revocation of sessions (Entra admin center > Users > User > Revoke sessions)
Prevention:
- Require two security keys per user
- Keep backup key in secure location (not same bag as primary)
- Consider Microsoft Authenticator as backup method
Windows Hello for Business Errors
Problem: User can't set up Windows Hello
Solutions:
- Verify device is Azure AD joined or Hybrid Azure AD joined
- Check that TPM 2.0 is present and enabled in BIOS
- Verify PIN policy allows user's desired PIN
- Ensure camera/fingerprint reader is functional
- Check Event Viewer > Applications and Services > Microsoft > Windows > HelloForBusiness
Cost Considerations
Hardware Costs (FIDO2 Keys)
| Key Model | Price Range | Features |
|---|---|---|
| YubiKey 5 NFC | $45-50 | USB-A + NFC |
| YubiKey 5C | $50-55 | USB-C |
| YubiKey 5Ci | $70-75 | USB-C + Lightning |
| Google Titan | $30-35 | USB-A/C + NFC |
| Feitian ePass | $20-25 | Budget option |
Quantity Recommendations:
- 2 keys per privileged user (primary + backup)
- 1-2 keys per regular user
- Spare inventory: 10% for replacements
Example Budget (500 users):
- Privileged users (50): 100 keys x $50 = $5,000
- Regular users (450): 450 keys x $30 = $13,500
- Spares (50): 50 keys x $30 = $1,500
- Total: $20,000
Licensing Costs
| Feature | Cost |
|---|---|
| FIDO2 & Authenticator | Free |
| Conditional Access (to enforce) | P1 (~$6/user/month) |
| Windows Hello hybrid | P1 (~$6/user/month) |
ROI Considerations
Cost Savings:
- Reduced password reset tickets
- Fewer account compromises (investigation costs)
- No credential rotation needed for passwordless
Productivity Gains:
- Faster sign-in (no typing passwords)
- Fewer sign-in failures
- Works offline (no network needed for local auth)
Security Value:
- Eliminates phishing of credentials
- No passwords to steal in breaches
- Strongest form of user authentication
Related Controls
- ID-01: User MFA Registration - Phishing-resistant MFA builds on the MFA foundation
- PA-05: Require Phishing-Resistant MFA for Admins - The admin-scoped Level 2 version of this requirement
- PA-06: Require FIDO2 Security Keys for Administrators - Hardware-key requirement for admins
- ID-02: Block Legacy Authentication - Block protocols that bypass phishing-resistant MFA