The Conditional Access Authentication Strength feature in Azure is an additional control in your conditional access policies toolset. Organizations can now choose the right authentication method requirements for specific scenarios. For example, administrators can define a minimum level of authentication strength required for access, based on factors such as the user’s sign-in risk level or the sensitivity of the resource being accessed. Let’s explore this a little bit.
Table of Contents
Choosing An Authentication Strength
An authentication strength includes one or more Multifactor Authentication Methods (MFA) for user login. For example, it might include a very strong second factor (e.g. FIDO2) and a weaker factor like text messages. Administrators can specify an authentication strength to access a resource by creating a Conditional Access policy with the Require authentication strength control. They can choose from three built-in authentication strengths:
- Multifactor authentication
- Passwordless MFA
- Phishing-resistent MFA
Which authentication strength you choose depends on the requirements for your use case. For example, you might want to protect a critical application using a possibly phishable credential. In that case you can use the phishing-resistant MFA which allows the user to authenticate using any of the following methods:
- Windows Hello For Business
- FIDO2 Security Key
- Certificate-based Authentication (Multifactor)
In addition to the three built-in authentication strengths, administrators can create their own custom authentication strengths to exactly suit their requirements. This can be useful to determine what MFA methods are allowed and approved for accessing applications within your organization. It might also be useful in situations where you are trusting guest users from other Azure AD tenants. In that case, a custom authentication strength can be used to determine which MFA methods can be used by guest users.
Example Use Cases
Organizations are already using Conditional Access Authentication Strength in various ways, for example:
- A government agency that uses authentication strength to enforce Certificate-Based Authentication (CBA) for authenticating to any resource protected by Azure AD, while allowing other authentication methods for password reset, which is used in support of legacy on-premises applications.
- A professional services company that uses authentication strength to enforce their users to use FIDO2 and to gradually move away from telecom-based methods for their wide user base.
- A software company that uses authentication strength to enforce standardization of authentication methods across multiple tenants they own.