Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Authentication is a security process that verifies a user's identity before granting access to apps, services, devices, or networks.
Authentication methods supported by Microsoft Entra ID
The following table outlines when an authentication method can be used for primary authentication (first factor), secondary authentication with Microsoft Entra multifactor authentication (MFA), and self-service password reset (SSPR).
| Method | Primary authentication | Secondary authentication | SSPR |
|---|---|---|---|
| Email OTP | No | SSPR and sign-in2 | SSPR |
| External MFA | No | MFA | No |
| Microsoft Authenticator passwordless | Yes | No | No |
| Microsoft Authenticator push notifications | Yes | MFA | SSPR |
| Password | Yes | No | No |
| Platform Credential for macOS | Yes | MFA | No |
| SMS sign-in | Yes | MFA | SSPR |
| Software OATH tokens | No | MFA | SSPR |
| Temporary Access Pass (TAP) | Yes | MFA | No |
| Voice call | No | MFA | SSPR |
| Windows Hello for Business | Yes | MFA1 | No |
1Windows Hello for Business can serve as a step-up MFA credential if a user is enabled for passkey (FIDO2) and has a passkey registered.
2Email OTP is available for tenant members for self-service password reset (SSPR).
Phishing-resistant authentication methods
While traditional MFA with SMS, email OTP, or authenticator apps significantly improves security over password-only systems, these options introduce friction — requiring additional steps for users, like entering codes, approving push notifications, or using authenticator apps. Moreover, these MFA options are prone to remote phishing attacks. In a remote phishing attack, attackers use social engineering and AI-driven tools to steal identity credentials — like passwords or one-time codes — without physical access to a user's device.
Microsoft recommends using phishing-resistant authentication methods such as Windows Hello for Business because they provide the most secure sign-in experience.
The following phishing-resistant authentication methods are available in Microsoft Entra ID:
- Windows Hello for Business
- Platform Credential for macOS