How to Fix: Require Phishing-Resistant MFA for All Users
Step-by-step guide to implement require phishing-resistant mfa for all users in your Microsoft 365 environment.
5-10 minutes
Estimated Time
4
Steps
critical
Severity
Maximum Security
Baseline Level
Why This Matters
Phishing attacks can bypass traditional MFA. At Level 3, the entire organization uses authentication methods that cryptographically prove user presence, eliminating MFA bypass attacks entirely.
Prerequisites
- 1Global Administrator or appropriate admin role in Microsoft Entra ID
- 2Access to Microsoft Entra admin center (entra.microsoft.com)
- 3Microsoft Entra ID P1 or higher license
Expected Configuration
- All users must use phishing-resistant MFA (FIDO2, Windows Hello, passkeys)
- SMS and voice call authentication methods are disabled tenant-wide
- Push notification MFA is disabled or only allowed with number matching
Remediation Steps
Assess Current Identity Configuration
Review your current identity settings in Microsoft Entra ID.
- •Navigate to Microsoft Entra admin center
- •Go to Identity > Users or relevant section
- •Review current configuration
Plan Required Changes
Determine what modifications are needed.
- •Compare current state to expected configuration
- •Identify affected users or groups
- •Plan rollout strategy
Apply Configuration
Implement the required identity configuration changes.
- •Update relevant settings
- •Configure policies as needed
- •Apply changes to affected scope
Validate Changes
Confirm the configuration meets requirements.
- •Run TrueConfig scan
- •Verify expected behavior
- •Monitor for any issues
Auto-Remediation Available
TrueConfig can automatically fix this control for you. Enable auto-remediation to have this configuration applied and maintained automatically.
Learn about auto-remediationRelated Resources
Automate Your Security Configuration
TrueConfig continuously monitors your Microsoft 365 environment and can automatically fix configuration drift. Start your free trial today.
Start Free Trial