PA-05 FAQ

Question 1

What is PA-05 (Require Phishing-Resistant MFA for Admins)?

Accepted Answer

PA-05 is a security control that traditional mfa (push notifications, sms) can be bypassed through social engineering and mfa fatigue attacks. phishing-resistant methods like fido2 keys cannot be phished because they require physical presence and cryptographic proof. It requires that all users with privileged roles have registered phishing-resistant mfa and fido2 security keys, windows hello for business, or device-bound passkeys required, sms and voice call mfa methods are blocked for admin accounts.

Question 2

Why is Require Phishing-Resistant MFA for Admins important for Microsoft 365 security?

Accepted Answer

Traditional MFA (push notifications, SMS) can be bypassed through social engineering and MFA fatigue attacks. Phishing-resistant methods like FIDO2 keys cannot be phished because they require physical presence and cryptographic proof.

Question 3

How do I implement PA-05 in my tenant?

Accepted Answer

Creates Conditional Access policy requiring FIDO2/Windows Hello for privileged roles

Question 4

What license do I need for PA-05?

Accepted Answer

This control requires Azure AD Premium P1 (included in Microsoft 365 E3) or higher.

Question 5

Which security baseline includes PA-05?

Accepted Answer

PA-05 is included in the Enhanced Security baseline (Level 2). This level adds stricter controls for security-conscious organizations.

Question 6

Why is PA-05 marked as critical severity?

Accepted Answer

PA-05 is rated critical because failure to implement this control significantly increases the risk of security incidents. Traditional MFA (push notifications, SMS) can be bypassed through social engineering and MFA fatigue attacks. Phishing-resistant methods like FIDO2 keys cannot be phished because they require physical presence and cryptographic proof.

PA-05: Require Phishing-Resistant MFA for Admins

Related Resources

Still have questions?