ID-04: Require Phishing-Resistant MFA for All Users

Overview

At the Maximum Security baseline, every user in the tenant must authenticate with phishing-resistant MFA - FIDO2 security keys, Windows Hello for Business, or passkeys. This is a mandatory Level 3 requirement, not an optional upgrade. You enable the phishing-resistant methods, disable weak methods (SMS and voice), and then enforce the requirement organization-wide with an authentication-strength Conditional Access policy.

Why This Matters: Phishing attacks can bypass traditional MFA. At Level 3, the entire organization uses authentication methods that cryptographically prove user presence, eliminating MFA bypass attacks entirely. SMS, voice, and standard push notifications can be intercepted or defeated with MFA-fatigue and social-engineering attacks; phishing-resistant methods cannot.

Control ID: ID-04 Category: Identity & Authentication Baseline Level: Level 3 (Maximum Security) Severity: Critical License Required: Microsoft Entra ID P1 (for the Conditional Access enforcement policy) Remediation: One-click / auto-remediable (enables the FIDO2 and passkey methods; users still register their own keys)

Expected State

  • All users must use phishing-resistant MFA (FIDO2, Windows Hello, passkeys)
  • SMS and voice call authentication methods are disabled tenant-wide
  • Push notification MFA is disabled or only allowed with number matching

Types of Phishing-Resistant Authentication:

MethodDeviceBest For
FIDO2 Security KeysHardware USB/NFC keyHigh-security users, shared devices
Microsoft Authenticator PasskeyMobile phoneGeneral workforce
Windows Hello for BusinessWindows PCWindows-centric environments
Platform PasskeysmacOS/iOS/AndroidCross-platform users

Types of Passwordless Authentication:

MethodDeviceBest For
FIDO2 Security KeysHardware USB/NFC keyHigh-security users, shared devices
Microsoft Authenticator PasskeyMobile phoneGeneral workforce
Windows Hello for BusinessWindows PCWindows-centric environments
Platform PasskeysmacOS/iOS/AndroidCross-platform users

Prerequisites

Required Roles

  • Global Administrator or Authentication Policy Administrator - to configure authentication methods
  • User Administrator - to assign users to groups

License Requirements

FeatureLicense
FIDO2 security keysFree (no license required)
Microsoft Authenticator passkeysFree (no license required)
Windows Hello for Business (cloud)Free (no license required)
Windows Hello for Business (hybrid)Microsoft Entra ID P1 or P2
Conditional Access for enforcementMicrosoft Entra ID P1

Note: Enabling the methods is free, but this Level 3 control is only met when the requirement is enforced for all users via a Conditional Access authentication-strength policy, which requires Microsoft Entra ID P1. The enforcement step (Step 9) is required, not optional.

Hardware Requirements

FIDO2 Security Keys:

  • FIDO2-certified security key (USB-A, USB-C, or NFC)
  • Examples: YubiKey 5 series, Google Titan, Feitian, AuthenTrend
  • Budget: $25-70 per key
  • Recommendation: Two keys per user (primary + backup)

Microsoft Authenticator:

  • iOS 14+ or Android 8+
  • Biometric capability (Face ID, Touch ID, fingerprint)
  • Current version of Microsoft Authenticator app

Windows Hello for Business:

  • Windows 10 version 1903+ or Windows 11
  • TPM 2.0 chip
  • Biometric hardware (camera for facial recognition, fingerprint reader) or PIN support

Pre-Checks

  1. Verify your users have compatible devices
  2. If using FIDO2 keys, ensure procurement process is in place
  3. Test that target applications support passwordless authentication
  4. Verify Azure AD/Entra ID configuration allows FIDO2

Time Estimate

TaskDuration
Configure authentication method policies30 minutes
Pilot with IT/security team1-2 weeks
Procure hardware (if using FIDO2 keys)1-2 weeks
User training and documentation1-2 hours
Phased rollout2-4 weeks
Full deploymentOngoing

Total: 4-8 weeks for initial deployment


Step-by-Step Instructions

Step 1: Enable FIDO2 Security Keys

Navigation: Entra admin center > Protection > Authentication methods > Policies

  1. Sign in to the Microsoft Entra admin center
  2. Navigate to Protection > Authentication methods > Policies
  3. Click FIDO2 security key

Configure the following:

  1. Enable: Set to Yes

  2. Target:

    • For pilot: Select Include > Select users and groups > Choose pilot group
    • For full rollout: Select All users
  3. Configure: Click to expand settings

Key restriction policy:

  • Enforce key restrictions: Yes (recommended for enterprise)
  • Restrict specific keys:
    • Allow: Only allow approved key manufacturers (recommended)
    • Block: Block specific keys known to have issues

Allowed AAGUIDs (if restricting keys):

Add the AAGUIDs for approved security keys. Common examples:

YubiKey 5 Series:
cb69481e-8ff7-4039-93ec-0a2729a154a8 (YubiKey 5 NFC)
ee882879-721c-4913-9775-3dfcce97072a (YubiKey 5C)
fa2b99dc-9e39-4257-8f92-4a30d23c4118 (YubiKey 5Ci)

Google Titan:
42b4fb4a-2866-43b2-9bf7-6c6669c2e5d3 (Titan USB-A)

Feitian:
77010bd7-212a-4fc9-b236-d2ca5e9d4084 (various models)

Note: Find AAGUIDs at https://fidoalliance.org/metadata/ or from your key vendor.

  1. Allow self-service set up: Yes (allows users to register their own keys)

  2. Click Save

Step 2: Enable Microsoft Authenticator Passkeys

Navigation: Entra admin center > Protection > Authentication methods > Policies

  1. Navigate to Protection > Authentication methods > Policies
  2. Click Microsoft Authenticator

Configure the following:

  1. Enable: Set to Yes

  2. Target:

    • Select All users (or specific groups for phased rollout)
  3. Configure: Click to expand settings

  4. Authentication mode:

    • Select Passwordless to enable passkey functionality
    • Or select Any to allow both push notifications and passwordless
  5. Require number matching: Enabled (required for security)

  6. Show application name: Enabled (helps users verify legitimate requests)

  7. Show geographic location: Enabled (helps detect suspicious access)

  8. Microsoft Authenticator on companion applications: Choose based on needs

  9. Click Save

Step 3: Configure Windows Hello for Business (Optional)

For organizations using Windows devices, enable Windows Hello for Business:

Cloud-Only Deployment:

Navigation: Entra admin center > Devices > Device settings

  1. Navigate to Devices > Overview > Device settings
  2. Under Azure AD Join:
    • Require Multi-Factor Authentication to register or join devices: Yes
  3. Navigate to Devices > Enrollment > Windows Hello for Business

Note: For cloud-only, Windows Hello is configured during device setup or via Intune.

For Intune-Managed Devices:

  1. Sign in to Microsoft Intune admin center
  2. Navigate to Devices > Enrollment > Windows Hello for Business
  3. Configure Windows Hello for Business: Enable
  4. Configure settings:
    • Use a Trusted Platform Module (TPM): Required
    • Minimum PIN length: 6 (or higher)
    • Use biometrics: Yes
    • Allow enhanced anti-spoofing: Yes

Step 4: Create a Pilot Group

Start with a small group before organization-wide rollout:

  1. Navigate to Identity > Groups > All groups
  2. Click New group
  3. Configure:
    • Group type: Security
    • Group name: Passwordless Pilot Users
    • Group description: Users testing FIDO2 and passkey authentication
    • Membership type: Assigned
  4. Add pilot members (recommend IT/security team first)
  5. Click Create

Step 5: Guide Users to Register Passwordless Methods

For FIDO2 Security Key Registration:

Provide these instructions to users:

  1. Go to https://aka.ms/mysecurityinfo
  2. Sign in with your work account (you'll need your current password)
  3. Click + Add sign-in method
  4. Select Security key from the dropdown
  5. Choose your key type:
    • USB device for USB security keys
    • NFC device for NFC-enabled keys
  6. Click Next
  7. Insert your security key when prompted
  8. When the key's light blinks or button lights up, touch it to confirm
  9. Create a friendly name for the key (e.g., "YubiKey Primary" or "Backup Key")
  10. Click Done

Register a backup key: Repeat the process with a second key. Store the backup securely.

For Microsoft Authenticator Passkey Registration:

  1. Ensure Microsoft Authenticator is installed and updated on your phone
  2. Go to https://aka.ms/mysecurityinfo
  3. Sign in with your work account
  4. Click + Add sign-in method
  5. Select Authenticator app
  6. If you already have Authenticator set up for MFA, select Add sign-in method and choose Passkey
  7. Follow the prompts to link your phone
  8. Enable passwordless sign-in:
    • Open Microsoft Authenticator on your phone
    • Tap your work account
    • Tap Set up phone sign-in or Enable phone sign-in
    • Follow the prompts to complete setup

Step 6: Test Passwordless Sign-In

Have pilot users test the complete flow:

FIDO2 Security Key Test:

  1. Go to https://portal.office.com or any Microsoft sign-in page
  2. Enter your email address
  3. Instead of entering a password, click Sign in with a security key or Other ways to sign in
  4. Select Security key
  5. Insert your security key
  6. Touch the key when prompted
  7. You should be signed in without entering a password

Microsoft Authenticator Test:

  1. Go to https://portal.office.com
  2. Enter your email address
  3. Click Sign in with Microsoft Authenticator or Use an app instead
  4. A number appears on screen
  5. Open Microsoft Authenticator on your phone
  6. Tap the notification and select the matching number
  7. Authenticate with biometric or PIN on your phone
  8. You should be signed in

Step 7: Roll Out to Broader Groups

After successful pilot:

  1. Return to Protection > Authentication methods > Policies
  2. For each method (FIDO2, Authenticator), update the Target to include more groups or all users
  3. Send user communications with registration instructions
  4. Offer registration assistance sessions

Phased Rollout Recommendation:

WeekGroupSize
1-2IT & Security10-20 users
3-4Early adopters50-100 users
5-6Department by department100+ users
7+All remaining usersEveryone

Step 8: Disable Weak Authentication Methods (Required)

This control requires SMS and voice call methods to be disabled tenant-wide, and push notifications to be limited to number matching. Do this only after users have registered a phishing-resistant method, or they will be locked out.

Navigation: Entra admin center > Protection > Authentication methods > Policies

  1. Click SMS > set Enable to No (or scope it out to a small exception group)
  2. Click Voice call > set Enable to No
  3. Confirm Microsoft Authenticator has Require number matching set to Enabled (configured in Step 2) so any remaining push-based MFA is number-matched
  4. Verify FIDO2 and passkey methods are enabled and adopted before enforcing

Step 9: Enforce Phishing-Resistant MFA for All Users (Required)

This is the enforcement step that makes ID-04 met. It requires an authentication-strength Conditional Access policy covering all users (not just admins).

Navigation: Entra admin center > Protection > Conditional Access > Policies

  1. Click + Create new policy

  2. Name: Require Phishing-Resistant MFA - All Users

  3. Assignments - Users:

    • Include: All users
    • Exclude: Emergency access accounts (break-glass)
  4. Assignments - Target resources:

    • All cloud apps
  5. Grant:

    • Select Grant access
    • Check Require authentication strength
    • Select Phishing-resistant MFA (built-in) or create a custom strength allowing only FIDO2, Windows Hello, and passkeys
  6. Enable policy: Start in Report-only to confirm coverage, then switch to On. Do not leave it in report-only - the control is only met when the policy is enforced.

  7. Click Create

Rollout guidance: Confirm phishing-resistant registration is high (see Step 10 monitoring) before turning the policy On, and keep break-glass accounts excluded so a misconfiguration cannot lock everyone out.

Step 10: Monitor Passwordless Adoption

Navigation: Entra admin center > Protection > Authentication methods > Activity

  1. Navigate to Protection > Authentication methods
  2. Click Activity
  3. Review the Registration tab:
    • Track FIDO2 key registrations
    • Track passwordless Authenticator setup
    • Identify users who haven't registered

Sign-in Logs Analysis:

  1. Navigate to Identity > Monitoring & health > Sign-in logs
  2. Add filter: Authentication method
  3. Look for entries showing:
    • FIDO2 security key
    • Microsoft Authenticator (passwordless)
    • Windows Hello for Business

Verification Checklist

After enabling passwordless authentication:

  • FIDO2 security key policy is enabled
  • Microsoft Authenticator passwordless is enabled
  • Key restrictions are configured (if using approved key list)
  • Number matching is enabled for Authenticator
  • SMS and voice call methods are disabled tenant-wide (or scoped to a documented exception group)
  • Pilot users have successfully registered and tested
  • Registration documentation is available to users
  • Backup key registration is enforced for FIDO2 users
  • Conditional Access authentication-strength policy requiring phishing-resistant MFA for all users is enabled (On, not report-only), with break-glass accounts excluded
  • Help desk is trained on passwordless troubleshooting
  • Adoption metrics are being tracked

Troubleshooting

Security Key Not Recognized

Problem: Computer doesn't detect the security key

Solutions:

  1. Try a different USB port (directly on computer, not a hub)
  2. Ensure the key is fully inserted
  3. Try a different browser (Edge or Chrome recommended)
  4. Install security key drivers if prompted
  5. Verify the key is FIDO2 certified (not just FIDO U2F)
  6. Test the key on another computer to rule out hardware failure

"This security key isn't supported" Error

Problem: Key is blocked by policy

Solutions:

  1. Check if key restrictions are enabled
  2. Verify the key's AAGUID is in the allowed list
  3. Add the key's AAGUID to the allow list if it's an approved model
  4. Contact IT if you have an unapproved key model

Authenticator Passwordless Not Working

Problem: User can't enable phone sign-in

Solutions:

  1. Verify Microsoft Authenticator is updated to latest version
  2. Ensure the phone has biometric capability enabled
  3. Check that the phone has a screen lock configured
  4. Re-add the work account in Authenticator
  5. Ensure passwordless is enabled in the authentication method policy

User Can't Register - "You don't have permission"

Problem: User is not in the target group

Solutions:

  1. Verify the user is included in the authentication method policy
  2. Check if the user is in an excluded group
  3. Verify the policy is set to allow self-service registration
  4. Wait 15-30 minutes for policy propagation

Passwordless Works in Browser But Not Desktop Apps

Problem: Older Office applications don't support passwordless

Solutions:

  1. Ensure Office is updated to current version (Microsoft 365 Apps)
  2. Verify Modern Authentication is enabled for Exchange Online
  3. Check if the app supports WebAuthN
  4. Some legacy apps may still require password fallback

Lost or Stolen Security Key

Problem: User lost their FIDO2 security key

Immediate Actions:

  1. User should sign in using backup key or alternative method
  2. Navigate to https://aka.ms/mysecurityinfo
  3. Remove the lost key from security info
  4. If no backup method available, help desk must perform manual reset
  5. Issue replacement key and register it
  6. Consider revocation of sessions (Entra admin center > Users > User > Revoke sessions)

Prevention:

  • Require two security keys per user
  • Keep backup key in secure location (not same bag as primary)
  • Consider Microsoft Authenticator as backup method

Windows Hello for Business Errors

Problem: User can't set up Windows Hello

Solutions:

  1. Verify device is Azure AD joined or Hybrid Azure AD joined
  2. Check that TPM 2.0 is present and enabled in BIOS
  3. Verify PIN policy allows user's desired PIN
  4. Ensure camera/fingerprint reader is functional
  5. Check Event Viewer > Applications and Services > Microsoft > Windows > HelloForBusiness

Cost Considerations

Hardware Costs (FIDO2 Keys)

Key ModelPrice RangeFeatures
YubiKey 5 NFC$45-50USB-A + NFC
YubiKey 5C$50-55USB-C
YubiKey 5Ci$70-75USB-C + Lightning
Google Titan$30-35USB-A/C + NFC
Feitian ePass$20-25Budget option

Quantity Recommendations:

  • 2 keys per privileged user (primary + backup)
  • 1-2 keys per regular user
  • Spare inventory: 10% for replacements

Example Budget (500 users):

  • Privileged users (50): 100 keys x $50 = $5,000
  • Regular users (450): 450 keys x $30 = $13,500
  • Spares (50): 50 keys x $30 = $1,500
  • Total: $20,000

Licensing Costs

FeatureCost
FIDO2 & AuthenticatorFree
Conditional Access (to enforce)P1 (~$6/user/month)
Windows Hello hybridP1 (~$6/user/month)

ROI Considerations

Cost Savings:

  • Reduced password reset tickets
  • Fewer account compromises (investigation costs)
  • No credential rotation needed for passwordless

Productivity Gains:

  • Faster sign-in (no typing passwords)
  • Fewer sign-in failures
  • Works offline (no network needed for local auth)

Security Value:

  • Eliminates phishing of credentials
  • No passwords to steal in breaches
  • Strongest form of user authentication

Related Controls


Additional Resources