Multifactor Authentication (MFA)

5 minutes 5 Questions

Multifactor Authentication (MFA) is a critical security mechanism within Microsoft Entra (formerly Azure Active Directory) that enhances identity protection by requiring users to provide two or more verification factors before granting access to resources. Rather than relying solely on a password, …

Multifactor Authentication (MFA) in Microsoft Entra

Why Multifactor Authentication (MFA) Matters

In today's threat landscape, passwords alone are no longer sufficient to protect identities and resources. Studies consistently show that over 99.9% of account compromise attacks can be blocked by enabling MFA. Attackers use techniques such as phishing, credential stuffing, brute force attacks, and password spraying to gain unauthorized access. If a user's password is compromised, MFA acts as a critical second barrier, preventing the attacker from accessing the account. This is why MFA is considered one of the most important security controls an organization can implement.

What Is Multifactor Authentication (MFA)?

Multifactor Authentication (MFA) is a security mechanism that requires users to provide two or more forms of verification before they are granted access to a resource, application, or system. These verification factors are drawn from different categories, ensuring that compromising one factor alone is not enough to gain access.

The three primary categories of authentication factors are:

1. Something you know – This is knowledge-based, such as a password, PIN, or security question answer.

2. Something you have – This is possession-based, such as a mobile phone, hardware token, security key (like a FIDO2 key), or a smart card.

3. Something you are – This is biometric-based, such as a fingerprint scan, facial recognition, retina scan, or voice recognition.

For authentication to be considered multifactor, the user must provide verification from at least two different categories. For example, entering a password (something you know) and then approving a push notification on the Microsoft Authenticator app (something you have) constitutes MFA. However, entering a password and then answering a security question does not constitute MFA because both are from the same category (something you know).

How MFA Works in Microsoft Entra

Microsoft Entra ID (formerly Azure Active Directory) provides built-in MFA capabilities that can be configured and enforced across your organization. Here is how MFA typically works:

Step 1: Primary Authentication
The user enters their username and password (something they know) to begin the sign-in process.

Step 2: Secondary Verification
After the password is verified, the user is prompted for an additional form of verification. Microsoft Entra supports multiple second-factor methods, including:

• Microsoft Authenticator app – Push notifications or time-based one-time passcodes (TOTP). The app can also support passwordless sign-in and number matching for added security.
• SMS verification – A one-time code is sent to the user's registered phone number.
• Voice call – The user receives an automated call and must press a key to verify.
• FIDO2 security keys – Physical hardware keys that provide strong, phishing-resistant authentication.
• Windows Hello for Business – Uses biometrics or a PIN tied to a specific device.
• OATH hardware or software tokens – Generate time-based one-time passwords.
• Certificate-based authentication – Uses X.509 certificates for verification.

Step 3: Access Granted
Once both factors are successfully verified, the user is granted access to the requested resource.

Ways to Enable and Enforce MFA in Microsoft Entra

There are several ways to implement MFA:

• Security Defaults – A free, easy-to-enable baseline policy that requires all users to register for and use MFA. This is ideal for organizations that want a simple, no-cost way to enforce MFA across the tenant.

• Conditional Access Policies – The most flexible and recommended approach. Conditional Access allows administrators to create granular policies that require MFA based on specific conditions such as user identity, group membership, application being accessed, location, device state, or sign-in risk level. Conditional Access requires Microsoft Entra ID P1 or P2 licenses.

• Per-user MFA – A legacy method where MFA is enabled or enforced on a per-user basis. This approach is less flexible and harder to manage at scale, so Microsoft recommends using Conditional Access or Security Defaults instead.

MFA and Conditional Access – A Powerful Combination

Conditional Access policies allow organizations to enforce MFA intelligently. For example:
• Require MFA for all users accessing cloud applications from outside the corporate network.
• Require MFA for privileged administrator accounts at every sign-in.
• Require MFA when sign-in risk is detected as medium or high (using Microsoft Entra ID Protection).
• Require MFA for accessing sensitive applications like Azure portal or Microsoft 365 admin center.

This risk-based approach ensures that MFA is applied when it is most needed, balancing security with user experience.

MFA and Passwordless Authentication

Microsoft Entra also supports passwordless authentication, which replaces the traditional password with stronger, more convenient methods. Methods like the Microsoft Authenticator app (in passwordless mode), FIDO2 security keys, and Windows Hello for Business can serve as both the primary and secondary factor, effectively combining two factors into one seamless experience. For example, Windows Hello for Business uses something you have (the device) combined with something you are (biometrics) or something you know (PIN).

Key Concepts to Remember

• MFA requires at least two different types of authentication factors.
• The three factor categories are: something you know, something you have, and something you are.
• Two factors from the same category do NOT qualify as MFA.
• Security Defaults provide a free baseline MFA enforcement for all users.
• Conditional Access is the recommended and most flexible way to enforce MFA.
• Microsoft Authenticator is the recommended verification method by Microsoft.
• MFA significantly reduces the risk of identity compromise.
• FIDO2 security keys provide the strongest, phishing-resistant form of authentication.

Exam Tips: Answering Questions on Multifactor Authentication (MFA)

Tip 1: Know the Three Factor Categories
Exam questions frequently test whether you can distinguish between the three authentication factor categories. Remember: a password + security question = NOT MFA (both are something you know). A password + phone verification = MFA (two different categories).

Tip 2: Understand That MFA Requires Factors from Different Categories
This is one of the most commonly tested concepts. If a question asks whether using two passwords or a password and a PIN constitutes MFA, the answer is no — they are both from the same category.

Tip 3: Know the Difference Between Security Defaults and Conditional Access
Security Defaults are free and provide a basic level of MFA protection. Conditional Access is more granular and requires a premium license. If a question describes a scenario needing fine-grained control (e.g., MFA only when outside the office, or only for specific apps), the answer is Conditional Access.

Tip 4: Remember That Conditional Access Is the Recommended Approach
Microsoft recommends Conditional Access policies over per-user MFA and Security Defaults for organizations that need flexible, policy-driven MFA enforcement.

Tip 5: Recognize Passwordless Methods as MFA
Windows Hello for Business and FIDO2 security keys inherently provide two factors in a single authentication step. If a question asks about strong or phishing-resistant authentication, think FIDO2 keys and Windows Hello for Business.

Tip 6: Associate MFA with Identity Protection
Questions may reference risk-based MFA. Microsoft Entra ID Protection can detect risky sign-ins and trigger MFA through Conditional Access policies. Understand that sign-in risk and user risk can be used as conditions to require MFA.

Tip 7: Know That MFA Blocks Over 99.9% of Account Compromise Attacks
This statistic is frequently referenced by Microsoft and may appear in exam scenarios emphasizing the importance of MFA.

Tip 8: Watch for Trick Questions About SMS
While SMS-based MFA is supported, Microsoft considers it the least secure MFA method due to SIM swapping and interception risks. The Microsoft Authenticator app or FIDO2 keys are preferred. However, SMS-based verification still qualifies as MFA.

Tip 9: Read the Question Carefully
Pay attention to what the question is really asking. Is it asking about the definition of MFA, the best method to implement it, or the factors involved? Many incorrect answers are chosen because candidates rush through the question without identifying exactly what is being asked.

Tip 10: Scenarios Involving Administrators
Microsoft strongly recommends that all administrator accounts have MFA enforced at all times. If a question asks about securing admin accounts, MFA (ideally through Conditional Access) is almost always part of the correct answer.

Test mode:

Exam (Timed)

Practice (With explanations)

Start practice test

Unlock Premium Access

Microsoft Security, Compliance, and Identity Fundamentals + ALL Certifications

Access to ALL Certifications: Study for any certification on our platform with one subscription
3043 Superior-grade Microsoft Security, Compliance, and Identity Fundamentals practice questions
Unlimited practice tests across all certifications
Detailed explanations for every question
SC-900: 5 full exams plus all other certification exams
100% Satisfaction Guaranteed: Full refund if unsatisfied
Risk-Free: 7-day free trial with all premium features!

More Multifactor Authentication (MFA) questions

45 questions (total)

Start 45 question test