Unit 2: What is Microsoft Entra Multifactor Authentication

Why MFA Is Necessary

Many unauthorized sign-ins occur because attackers obtain valid usernames and passwords. Microsoft Entra ID provides several features to strengthen password-based authentication.

• Password complexity rules force users to create harder passwords.
• Password expiration rules require users to change passwords periodically.
• Self-Service Password Reset lets users reset their passwords without IT involvement.
• Microsoft Entra ID Protection detects risky sign-ins and applies automated responses, such as blocking access or forcing a password reset.
• Password protection blocks common or compromised passwords.
• Smart lockout helps block attackers using brute-force password attempts.
• Application proxy allows secure remote access to on-premises web apps.
• Single Sign-On lets users sign in once and use multiple apps.
• Microsoft Entra Connect synchronizes identities across hybrid environments.

These features help protect passwords but do not prevent breaches caused by social engineering or credential theft. MFA provides an additional layer of protection beyond the password.

Definition of Multifactor Authentication

Entra MFA requires two or more verification factors from three categories.

• Something you know, such as a password or security question.
• Something you have, such as a mobile phone, authenticator app or hardware token.
• Something you are, such as fingerprint or facial recognition.

Even if an attacker knows a password, they cannot sign in without the second factor. Similarly, if a device is stolen, it cannot be used without the user’s password.

Availability of MFA

MFA is included in several Microsoft offerings.

• Microsoft Entra ID P1, P2 and Microsoft 365 Business.
• Microsoft Entra ID Free through security defaults.

Security defaults automatically require MFA for most users and administrators.