Authentication Methods and MFA

Source: Azure Master Class v3 - Part 2 - Identity by John Savill
Timestamps: 01:04:00 - 01:36:00

Authentication vs Authorization

📺 Video Reference: 01:04:07

These are very different things that often get confused:

Concept	Question	Example
Authentication (AuthN)	Who are you?	Password, biometric, certificate
Authorization (AuthZ)	What can you do?	Roles, permissions, scopes

Authentication Proof Types

Type	Examples	Security Level
Something you know	Password, PIN, gesture	⭐
Something you have	Phone, token, smart card	⭐⭐
Something you are	Fingerprint, face, retina	⭐⭐⭐

Hybrid Authentication Options

📺 Video Reference: 01:05:54

When you have on-premises Active Directory synchronized to Entra, you have several authentication options:

Option 1: Password Hash Synchronization (PHS)

📺 Video Reference: 01:06:58

Recommended approach for most organizations.

Step	Description
1	Take password hash from AD
2	Hash the hash with per-user salt
3	Run 1000+ hashing iterations
4	Store in Entra (cannot be reversed)

Benefits:

✅ Pure cloud authentication—no on-prem dependency
✅ Enables leaked credential detection (dark web scanning)
✅ Works as failback if other methods fail
✅ Fastest, simplest authentication

Always Enable PHS

Even if using another method, enable PHS for:

Leaked credential detection
Break-glass failback authentication
Disaster recovery scenarios

Option 2: Pass-Through Authentication (PTA)

📺 Video Reference: 01:09:42

Authentication is validated against on-premises AD in real-time.

Use cases:

Zero-delay account blocking requirement
On-prem password policies (time windows, complexity)
Regulatory requirements for on-prem validation

Considerations:

⚠️ Requires connectivity to on-prem
⚠️ More complex than PHS
⚠️ Dependent on agent availability

Option 3: Federation (ADFS)

📺 Video Reference: 01:11:35

Complete redirect to external identity provider for authentication.

Use cases:

Advanced authentication requirements not in Entra
Third-party MFA solutions
Legacy regulatory requirements

Why it's declining:

❌ Infrastructure overhead (ADFS servers)
❌ Certificate management
❌ Public-facing components to protect
❌ Entra now has most features natively

Avoid Federation If Possible

Most organizations are moving away from federation. Entra's conditional access and MFA capabilities have made it largely unnecessary.

Comparison Table

Feature	PHS	PTA	Federation
Auth happens at	Entra	On-prem DC	External IDP
On-prem dependency	❌	✅	✅
Complexity	Low	Medium	High
Infrastructure	None	PTA agents	ADFS servers
Leaked credential detection	✅	❌	❌
Recommendation	⭐⭐⭐	⭐⭐	⭐

Multi-Factor Authentication (MFA)

📺 Video Reference: 01:36:59

The Problem with Passwords Alone

Passwords on their own are bad. They make us sad. 😢

Even with protections like:

Smart lockout (protects from lockout attacks)
Banned password list
Custom banned passwords
On-prem password protection agent

...passwords alone are insufficient.

MFA = Two or More Factors

Factor	Examples
Something you know	Password, PIN
Something you have	Phone, token, smart card
Something you are	Fingerprint, face, iris

MFA = Using two or more of these categories.

MFA Blocks 99.2% of Attacks

Basic MFA is incredibly effective against common attacks.

Authentication Strength Spectrum

📺 Video Reference: 01:42:31

From weakest to strongest:

Level 1: Password Only 😢

No MFA
Highly vulnerable
Don't do this

Level 2: Password + SMS/Phone Call 🤔

Better than password alone
Vulnerabilities:
- SIM cloning attacks
- SIM swapping
- Targeted attacks

Level 3: Password + Authenticator App 😊

TOTP (Time-based One-Time Password)
Push notifications with number matching
Shows app name and location

Authenticator App Features:

Feature	Description
Number matching	User must type the displayed number
App name	Shows which application is requesting
Location	Shows geographic location of request
Token broker	Single sign-on across apps on device

Level 4: Passwordless 🎉

📺 Video Reference: 01:45:03

No password required! Authentication via:

Method	How It Works
Windows Hello for Business	TPM + PIN/biometric
Microsoft Authenticator	Phone possession + biometric/PIN
FIDO2 Security Keys	Physical key + PIN/biometric
Certificate-based auth	Smart card + PIN

Why Is Passwordless Still MFA?

Hello for Business: "Something you have" (TPM) + "Something you know/are" (PIN/biometric)
Passkey: "Something you have" (device) + "Something you know/are" (unlock)

Level 5: Phishing Resistant 🚀

The gold standard. Cannot be tricked by attackers.

Method	Phishing Resistant?	Why
SMS/Phone	❌	Can be socially engineered
TOTP code	❌	Can be intercepted
Authenticator push	❌	MFA fatigue, social engineering
Windows Hello	✅	Bound to device TPM
FIDO2/Passkeys	✅	Requires physical proximity
Certificate auth	✅	Bound to physical smart card

Authenticator App Vulnerability

Even with number matching, an attacker can call you:

"Hi, I'm from IT. We detected unusual activity. I'm sending a test—please type 73."

You've just authenticated the attacker. Passkeys prevent this because they require physical proximity.

Entra Authentication Strengths

📺 Video Reference: 01:50:00

Entra provides built-in authentication strength definitions:

Strength	Included Methods
MFA	All MFA methods
Passwordless MFA	Hello, Passkeys, Cert, Authenticator
Phishing-resistant MFA	Hello, Passkeys, Cert (NOT Authenticator)

You can create custom authentication strengths combining specific methods.

Using Authentication Strength in Conditional Access

Mandatory MFA Rollout (2024+)

📺 Video Reference: 01:51:51

Microsoft is rolling out mandatory MFA across all services:

Phase	Services
Phase 1	Azure Portal, Entra Admin Center
Phase 2	PowerShell, CLI, IaC tools
Phase 3	All administrative access

Automation Breaking Change

If you used user accounts for automations (bad practice), you're now stuck. Automations cannot perform MFA.

Solution: Migrate to service principals or managed identities immediately.

Securing MFA Registration

📺 Video Reference: 01:53:00

The Chicken and Egg Problem

To register for strong authentication, I must authenticate first—but I'm using weak authentication to set up strong authentication! 🤔

Solution 1: Temporary Access Pass (TAP)

📺 Video Reference: 01:54:16

A time-limited, one-time use code for initial authentication.

Property	Configuration
Maximum lifetime	1-24 hours
One-time use	Optional
Character length	8+ characters

Workflow:

Admin creates TAP for new user
Share TAP via secure channel (phone call, in-person)
User authenticates with TAP
User sets up passwordless authentication
TAP expires/consumed

Passwordless Onboarding

For organizations going fully passwordless:

Set random password (user never knows it)
Create TAP
User onboards directly to passkey
User never uses a password

Solution 2: Conditional Access for Registration

Create a policy targeting user actions → Register security information:

Condition	Requirement
Action	Register security information
Location	Corporate network only
Device	Compliant device required

This ensures initial MFA setup only happens from trusted locations/devices.

Password Protection

📺 Video Reference: 01:39:36

Even for passwords, Entra provides protection:

Smart Lockout

Protects genuine users from being locked out by attackers
Distinguishes between legitimate user and attacker
Escalating lockout periods

Banned Password List

Microsoft global banned list
Custom banned passwords for your org
Applies to derived variations (p@ssw0rd → password)

On-Premises Agent

Install agent on DCs to enforce banned passwords for on-prem AD too.

Self-Service Password Reset (SSPR)

Registered users can reset their own passwords at:

https://aka.ms/sspr

Requires prior registration of authentication methods.

Quick Reference

Authentication Method Comparison

Method	Security	User Experience	Phishing Resistant
Password only	⭐	Easy	❌
Password + SMS	⭐⭐	Easy	❌
Password + Authenticator	⭐⭐⭐	Good	❌
Passwordless (Authenticator)	⭐⭐⭐⭐	Great	❌
Windows Hello	⭐⭐⭐⭐⭐	Great	✅
FIDO2/Passkeys	⭐⭐⭐⭐⭐	Great	✅

Recommendation Priority

Best: Phishing-resistant (Hello, Passkeys, Certificate)
Good: Passwordless Authenticator
Acceptable: Password + Authenticator
Avoid: Password + SMS
Never: Password only

Labs

Extras

Authentication Methods and MFA ​

Authentication vs Authorization ​

Authentication Proof Types ​

Hybrid Authentication Options ​

Option 1: Password Hash Synchronization (PHS) ​

Option 2: Pass-Through Authentication (PTA) ​

Option 3: Federation (ADFS) ​

Comparison Table ​

Multi-Factor Authentication (MFA) ​

The Problem with Passwords Alone ​

MFA = Two or More Factors ​

MFA Blocks 99.2% of Attacks ​

Authentication Strength Spectrum ​

Level 1: Password Only 😢 ​

Level 2: Password + SMS/Phone Call 🤔 ​

Level 3: Password + Authenticator App 😊 ​

Level 4: Passwordless 🎉 ​

Level 5: Phishing Resistant 🚀 ​

Entra Authentication Strengths ​

Using Authentication Strength in Conditional Access ​

Mandatory MFA Rollout (2024+) ​

Securing MFA Registration ​

The Chicken and Egg Problem ​

Solution 1: Temporary Access Pass (TAP) ​

Solution 2: Conditional Access for Registration ​

Password Protection ​

Smart Lockout ​

Banned Password List ​

On-Premises Agent ​

Self-Service Password Reset (SSPR) ​

Quick Reference ​

Authentication Method Comparison ​

Recommendation Priority ​

Further Reading ​