PA-06: Require FIDO2 Security Keys for Administrators
Frequently asked questions about implementing and managing the PA-06 security control in Microsoft 365 and Entra ID.
QWhat is PA-06 (Require FIDO2 Security Keys for Administrators)?▼
PA-06 is a security control that hardware security keys provide the highest authentication assurance. unlike software-based mfa, keys cannot be phished, cloned, or remotely compromised. level 3 mandates this protection for all admin access. It requires that all users with privileged roles have registered fido2 security keys and each admin has at least 2 keys registered (primary + backup), pim activation requires fido2 authentication.
QWhy is Require FIDO2 Security Keys for Administrators important for Microsoft 365 security?▼
Hardware security keys provide the highest authentication assurance. Unlike software-based MFA, keys cannot be phished, cloned, or remotely compromised. Level 3 mandates this protection for all admin access.
QHow do I implement PA-06 in my tenant?▼
PA-06 requires manual implementation. Requires hardware security key procurement and registration
QWhat license do I need for PA-06?▼
This control requires Azure AD Premium P2 (included in Microsoft 365 E5) or standalone P2.
QWhich security baseline includes PA-06?▼
PA-06 is included in the Maximum Security baseline (Level 3). This level is designed for high-security environments and regulated industries.
QWhy is PA-06 marked as critical severity?▼
PA-06 is rated critical because failure to implement this control significantly increases the risk of security incidents. Hardware security keys provide the highest authentication assurance. Unlike software-based MFA, keys cannot be phished, cloned, or remotely compromised. Level 3 mandates this protection for all admin access.
6
Questions
1
Related Controls
—
Categorized
Related Resources
Still have questions?
Our security experts are here to help. Start a free trial and get personalized guidance for your Microsoft 365 environment.
Start Free Trial