Domain 2 of 4 · Chapter 2 of 4

Authentication and MFA

Unlock the complete study guide + 1,040 practice questions across 16 full exams.

Bundled into the existing Microsoft Certified: Security, Compliance, and Identity Fundamentals premium course — no separate purchase.

14-day money-back guarantee — no questions asked.

Included in this chapter:

  • Authentication and the three factors
  • The authentication method catalog
  • Self-service password reset (SSPR)
  • Password protection and smart lockout

Authentication methods by factor category and phishing resistance

MethodFactor categoryPhishing-resistantTypical role
PasswordSomething you knowNoPrimary factor, the one to protect
SMS or voice callSomething you haveNoSecond factor or SSPR, low assurance
OATH hardware or software tokenSomething you haveNoSecond factor, offline TOTP code
Microsoft Authenticator pushSomething you haveNoSecond factor, broad low-friction rollout
Windows Hello for BusinessHave plus are or knowYesPasswordless primary on a Windows device
FIDO2 security key or passkeyHave plus are or knowYesPasswordless, phishing-resistant sign-in
Certificate-based authenticationSomething you haveYesPrimary or MFA in PKI environments

Decision tree

Phishing-resistant sign-in required? Dedicated Windows PC? Broad, low-friction MFA? Yes No Windows Hello for Business FIDO2 key or passkey Yes No Microsoft Authenticator push Need an offline code? Yes No OATH token (TOTP) SMS or voice (last resort) Yes No

Cheat sheet

  • MFA needs two different factor categories, not two secrets
  • Passwordless methods already meet the MFA bar in one step
  • Phishing-resistant names a specific subset of MFA methods
  • Microsoft Authenticator works in three distinct modes
  • OATH tokens generate a rotating time-based passcode
  • Certificate-based authentication validates an X.509 certificate
  • Entra defines the methods; Conditional Access enforces when MFA is required
  • SSPR lets users reset or unlock their own password
  • SSPR requires one or two methods, set by the admin
  • SSPR to on-prem AD needs Entra Connect password writeback
  • The global banned password list is always on and cannot be disabled
  • The custom banned list adds org terms and needs P1 or P2
  • On-prem password protection extends the banned lists to AD DS
  • Smart lockout is always on and defaults to 10 failed attempts
  • Password protection blocks at set-time; smart lockout at sign-in
  • Azure AD Multi-Factor Authentication is now Entra multifactor authentication
  • An authentication method proves identity, it never grants access
  • A Temporary Access Pass lets a credential-less user sign in to set up passwordless methods
  • Combined registration signs users up for MFA and SSPR in one step

Unlock with Premium — includes all practice exams and the complete study guide.

Also tested in

References

  1. Microsoft Entra authentication overview
  2. How it works: Microsoft Entra multifactor authentication
  3. Authentication methods in Microsoft Entra ID - Microsoft Authenticator
  4. Authentication methods in Microsoft Entra ID - passkeys (FIDO2)
  5. How it works: Microsoft Entra self-service password reset
  6. How self-service password reset writeback works in Microsoft Entra ID
  7. Eliminate bad passwords using Microsoft Entra Password Protection
  8. Enforce on-premises Microsoft Entra Password Protection for Active Directory Domain Services
  9. Protect user accounts from attacks with Microsoft Entra smart lockout