Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Authentication is the process of verifying a person's identity before granting access to a resource, application, service, device, or network. It's how a system makes sure users are who they say they are when they try to sign in.
Authentication methods supported by Microsoft Entra ID
The following table outlines when an authentication method can be used for primary or first factor authentication, secondary factor authentication when you use Microsoft Entra multifactor authentication (MFA) and for self-service password reset (SSPR).
| Method | Primary authentication | Secondary authentication |
|---|---|---|
| Windows Hello for Business | Yes | MFA1 |
| Platform Credential for macOS | Yes | MFA |
| Microsoft Authenticator passwordless | Yes | No |
| Microsoft Authenticator push notifications | Yes | MFA and SSPR |
| Software OATH tokens | No | MFA and SSPR |
| External authentication methods (preview) | No | MFA |
| Temporary Access Pass (TAP) | Yes | MFA |
| Short Message Service (SMS) sign-in | Yes | MFA and SSPR |
| Voice call | No | MFA and SSPR |
| Password | Yes | No |
1Windows Hello for Business can serve as a step-up MFA credential if a user is enabled for passkey (FIDO2) and has a passkey registered.
Phishing-resistant authentication methods
While traditional MFA with SMS, email OTP or authenticator apps significantly improves security over password-only systems, these options introduce friction—requiring additional steps for users, like entering codes, approving push notifications, or using authenticator apps. Moreover, these options for MFA are prone to remote phishing attacks. Remote phishing is where attackers use social engineering and AI-driven tools to steal identity credentials—like passwords or one-time codes—without physical access to a user's device.
Microsoft recommends using phishing-resistant authentication methods such as Windows Hello for Business because they provide the most secure sign-in experience.
The following phishing-resistant authentication methods are available in Microsoft Entra ID.
- Windows Hello for Business
- Platform Credential for macOS