Unit 5: Configure Multifactor Authentication Methods

Registration Process

When users sign into an application that requires MFA for the first time, they must register a verification method. This registration flow ensures the user selects a method they can access consistently. For every sign-in that requires MFA, users must complete verification using their registered method.

Authentication Methods and Service Support

Authentication Methods and Service Support

Why Some Methods Are SSPR‑Only: These methods are not strong enough or not secure enough to be used as MFA during sign-in. They are only meant to help a user recover their password — not to secure access to resources.

Authentication Method	MFA	SSPR	Reason
Password	✔️	✔️	Primary credential used in both flows.
Security Questions	❌	✔️	Weak, knowledge‑based; not secure enough for MFA.
Email Address	❌	✔️	Email can be compromised; not a strong second factor.
Windows Hello for Business	✔️	✔️	TPM‑backed keys and biometrics; strong authentication.
FIDO2 Security Key	✔️	✔️	Phishing‑resistant hardware key.
Microsoft Authenticator App	✔️	✔️	Strong possession factor; supports push and OTP.
OATH Hardware Token	✔️	✔️	TOTP codes; secure one‑time passwords.
OATH Software Token	✔️	✔️	App‑based TOTP; strong enough for MFA.
Text Message (SMS)	✔️	✔️	Accepted possession factor; widely supported.
Voice Call	✔️	✔️	Phone‑based verification; similar to SMS.
App Passwords	✔️ (limited)	❌	Legacy workaround for non‑modern auth apps.

Method Details

Security Questions

Available only for non-admin accounts using SSPR.
Stored securely in Microsoft Entra ID.
Administrators cannot view or change answers.
Up to 35 predefined questions, or custom questions up to 200 characters.

Windows Hello for Business

Uses biometrics or a PIN tied to a specific device.
Provides a passwordless sign-in experience.

FIDO2 Security Keys

Hardware devices that use open standards for secure authentication.
Support USB, NFC or Bluetooth.
Provide single sign-on to supported Windows and cloud resources.

Microsoft Authenticator App

Supports push notifications and OATH verification codes.
Works on iOS and Android.
Can block unauthorized sign-ins by requiring approval.

OATH Tokens

Used to generate one-time passwords.
Supported in both hardware and software form.

OATH Hardware Tokens

Use OATH-TOTP (SHA-1).
Support 30-second or 60-second one-time codes.
Users can purchase tokens from any compatible vendor.
Secret keys must be 128 characters or fewer.
Some tokens may not be compatible if keys exceed this limit.

OATH Software Tokens

Usually authenticator apps like Microsoft Authenticator or third-party OATH apps.
Secret key (seed) is generated by Microsoft Entra ID.
Seed is entered into the app to generate the OTP.

Text Message and Voice Call

Provide a temporary code or call for verification.
Voice call is unavailable for free or trial tenants.

App Passwords

Used only for apps that cannot perform modern authentication.
Provide a workaround to allow MFA-enabled users to sign in.

Monitoring MFA and SSPR Adoption

Microsoft Entra ID provides monitoring through Usage and Insights. Administrators can track:

MFA registration rates.
Methods users select.
Registration successes and failures.
Adoption trends over the last 30 days.

This information helps identify training needs or problematic authentication methods.

SC‑300 Study Portal Path 3

Unit 5: Configure Multifactor Authentication Methods