Authentication Methods in Microsoft Entra ID – A Complete Guide for SC-900
Why Authentication Methods in Microsoft Entra ID Matter
Authentication is the cornerstone of identity security. Before any user can access resources protected by Microsoft Entra ID (formerly Azure Active Directory), they must prove their identity. The method by which they do so directly impacts both security posture and user experience. Weak or outdated authentication methods—such as simple passwords—are responsible for the vast majority of identity-based breaches. Understanding the various authentication methods available in Microsoft Entra ID is essential not only for the SC-900 exam but also for building a robust Zero Trust security strategy.
What Are Authentication Methods in Microsoft Entra ID?
Authentication methods are the mechanisms that Microsoft Entra ID uses to verify a user's identity when they attempt to sign in or perform a sensitive action. These methods range from traditional passwords to modern, passwordless technologies. Microsoft Entra ID supports multiple authentication methods that can be used for:
• Primary authentication – the initial sign-in (e.g., entering a password or using a passwordless method)
• Multi-factor authentication (MFA) – an additional verification step beyond the primary method
• Self-service password reset (SSPR) – allowing users to reset their own passwords securely
The Key Authentication Methods
1. Passwords
The most traditional method. A user provides a username and password. While widely used, passwords alone are considered the least secure method because they are vulnerable to phishing, brute force, and credential stuffing attacks. Microsoft encourages organizations to move toward passwordless authentication.
2. Microsoft Authenticator App
The Microsoft Authenticator app can be used for both MFA and passwordless sign-in. For MFA, it can provide push notifications (approve/deny) or time-based one-time passcodes (TOTP). For passwordless authentication, users receive a number-matching prompt on their phone, which they approve using biometrics or a PIN. This is one of the most recommended methods by Microsoft.
3. Windows Hello for Business
A passwordless authentication method that replaces passwords with strong two-factor authentication on Windows devices. It uses biometrics (fingerprint, facial recognition) or a PIN tied to the device. The credential is bound to the device and cannot be used elsewhere, making it highly resistant to phishing.
4. FIDO2 Security Keys
FIDO2 (Fast Identity Online 2) security keys are external hardware devices (such as USB keys or NFC-enabled devices) that provide passwordless, phishing-resistant authentication. Users authenticate by inserting or tapping the key and providing a biometric or PIN. FIDO2 keys are standards-based and work across platforms and browsers.
5. Certificate-based Authentication
Microsoft Entra certificate-based authentication (CBA) allows users to authenticate using X.509 certificates on smart cards or devices directly against Microsoft Entra ID. This is particularly useful for organizations with existing PKI (Public Key Infrastructure) deployments and is considered phishing-resistant.
6. SMS-based Authentication
A user receives a text message with a verification code on their registered phone number. SMS can be used as a second factor for MFA or for SSPR. While convenient, SMS is considered less secure than app-based or hardware-based methods because SMS messages can be intercepted (SIM-swapping attacks).
7. Voice Call Verification
A phone call is placed to the user's registered number, and they press a key (e.g., #) to verify their identity. Like SMS, it is used as a secondary factor and is considered less secure than modern methods.
8. Email OTP (One-Time Passcode)
A one-time passcode is sent to the user's email address. This is commonly used for B2B guest users and for SSPR scenarios.
9. Security Questions
Used only for self-service password reset (SSPR), not for sign-in authentication. Users answer predefined questions. This is the weakest verification method and is not recommended as a standalone option.
10. Temporary Access Pass (TAP)
A time-limited passcode issued by an administrator that allows a user to sign in without a password. TAP is especially useful for onboarding users to passwordless methods—for example, giving a new employee a TAP so they can register Windows Hello for Business or a FIDO2 key on their first sign-in.
11. OATH Tokens (Hardware and Software)
OATH (Open Authentication) TOTP tokens generate time-based one-time passwords. Software OATH tokens are apps like Microsoft Authenticator or third-party authenticator apps. Hardware OATH tokens are physical devices that display a rotating code. These are used as a second factor for MFA.
How Authentication Methods Work in Microsoft Entra ID
When a user attempts to sign in to a resource protected by Microsoft Entra ID, the following general process occurs:
1. The user initiates a sign-in request (e.g., navigating to a web app or Microsoft 365 portal).
2. Microsoft Entra ID evaluates the sign-in and determines which authentication methods are required. This is influenced by Conditional Access policies, authentication strengths, and the organization's authentication methods policy.
3. The user provides their primary credential (password, passwordless method, etc.).
4. If MFA is required (due to Conditional Access or per-user MFA settings), the user is prompted for a second factor (e.g., Authenticator push notification, SMS code, FIDO2 key).
5. Microsoft Entra ID validates all factors and either grants or denies access.
Authentication Methods Policy
Administrators manage which authentication methods are available to users through the Authentication methods policy in the Microsoft Entra admin center. This policy allows admins to enable or disable specific methods, target them to specific groups of users, and configure method-specific settings.
Authentication Strength
Authentication strength is a Conditional Access control that allows administrators to specify which combinations of authentication methods are acceptable for accessing a resource. For example, an admin can require phishing-resistant MFA (Windows Hello for Business, FIDO2, or certificate-based authentication) for accessing highly sensitive applications. Built-in authentication strengths include:
• MFA strength – any valid MFA combination
• Passwordless MFA strength – passwordless methods that also satisfy MFA
• Phishing-resistant MFA strength – only methods that are resistant to phishing (FIDO2, Windows Hello for Business, certificate-based authentication)
Combined Registration
Microsoft Entra ID provides a combined registration experience where users can register methods for both MFA and SSPR in one place. This simplifies the user experience and ensures users have methods registered for multiple scenarios.
How to Categorize Methods for the Exam
It helps to categorize methods by their security level:
Phishing-Resistant (Strongest):
• Windows Hello for Business
• FIDO2 Security Keys
• Certificate-based Authentication
Passwordless (Strong):
• Microsoft Authenticator (passwordless mode)
• Windows Hello for Business
• FIDO2 Security Keys
Multi-Factor (Good):
• Microsoft Authenticator (push/TOTP)
• OATH tokens
• SMS + password
• Voice call + password
Single-Factor / Weakest:
• Password only
• Security questions (SSPR only)
Exam Tips: Answering Questions on Authentication Methods in Microsoft Entra ID
1. Know the three passwordless methods: The SC-900 exam frequently asks about passwordless authentication. Remember the big three: Windows Hello for Business, FIDO2 security keys, and Microsoft Authenticator (passwordless mode).
2. Understand phishing-resistant vs. non-phishing-resistant: Questions may ask which methods are phishing-resistant. The answer is always: Windows Hello for Business, FIDO2 security keys, and certificate-based authentication. SMS and voice are not phishing-resistant.
3. Remember that SMS and voice are the weakest MFA methods: If a question asks which method is least recommended or least secure for MFA, the answer is typically SMS or voice call verification.
4. Security questions are only for SSPR: Security questions cannot be used for sign-in authentication or MFA. They are exclusively available for self-service password reset. If a question mentions using security questions for MFA, that option is incorrect.
5. Temporary Access Pass (TAP) is for onboarding: If a question describes a scenario where a new employee needs to register a passwordless method for the first time, TAP is the likely answer.
6. Authentication strength is a Conditional Access control: If a question asks how to enforce specific types of MFA (e.g., require phishing-resistant authentication for admins), the answer involves configuring authentication strength within a Conditional Access policy.
7. Microsoft Authenticator is versatile: It supports push notifications (MFA), TOTP codes (MFA), and passwordless sign-in. Understand the different modes it can operate in.
8. Distinguish between primary and secondary authentication: Primary authentication proves your identity initially (password, passwordless). Secondary authentication is the additional factor in MFA. Some methods serve both roles (e.g., Microsoft Authenticator can be primary in passwordless mode or secondary for MFA push).
9. FIDO2 is hardware-based and standards-based: If a question describes an external device for passwordless sign-in that works across platforms, FIDO2 security key is the answer. Do not confuse it with OATH hardware tokens, which generate one-time codes for MFA.
10. Know combined registration: Microsoft Entra ID uses a combined registration portal for MFA and SSPR. If asked how users register authentication methods, remember this unified experience.
11. Read scenarios carefully: Exam questions often present a scenario and ask you to choose the best authentication method. Focus on key clues: Does the question mention 'passwordless'? 'Phishing-resistant'? 'Hardware device'? 'Mobile phone'? 'First-time setup'? These clues point you to the right answer.
12. Understand the relationship with Zero Trust: Authentication methods are a foundational element of the Zero Trust model's principle of verify explicitly. Stronger authentication methods better align with Zero Trust. The exam may frame questions around this concept.
By mastering the different authentication methods, understanding their security levels, and knowing how they integrate with Conditional Access and authentication strength policies, you will be well-prepared to answer any SC-900 question on this topic.
