The Require authentication strength access control in Azure AD conditional access is a new option for administrators to define which authentication methods can be used to access your environment or resource. It is there to ensure you can define the most secure methods and enforce them methods within your environment and to prevent the use of less secure methods of authentication.
Built-in options
There are 3 different built-in options to choose from when selecting an authentication strength in Conditional Access, those are MFA, Passwordless MFA and Phishing resistant MFA. Each option provided a different level of protection and they include the following:
- Multi-Factor Authentication strength:
- FIDO2
- Windows Hello for Business
- Certificate-based authentication
- Microsoft Authenticator
- Temporary Access Pass
- Password & something you have
- Federated single-factor & something you have
- Federated Mulit-factor
- Passwordless MFA strength
- FIDO2 security key
- Windows Hello for business
- Certificate-based authentication
- Microsoft Authenticator
- Phishing-resistant MFA strength
- FIDO2 security key
- Windows Hello for Business
- Certificate-based authentication
How to create a custom Authentication strength for conditional access
All well as the default built-in controls I have listed above, you can also created your own custom authentication strength that can include a mixture of the authentication methods above. Follow the below steps to create a custom authentication method.
- Login to the Azure Active Directory management portal at aad.portal.azure.com.
2. Select Azure Active Directory
3. Under the Manage heading, select Security
4. Select Authentication methods
5. Select Authentication strengths
6. Click on New authentication strength and a new pop-out window will appear from the right. Start by giving your new authentication strength a meaningful name.
7. Choose your desired authentication methods from the options list and click Next. This will bring you to the Review tab, where you can confirm your selections and click Create.
8. You will now see your new authentication strength in the list with the type of custom. Currently it will show as not configured in any policy yet.
How to apply your custom authentication strength to a policy
- Open conditional access within your Azure Active Directory management portal.
2. Click New policy or select one of your existing policies.
3. Under access controls, select Grant > Require authentication strength and select your new custom authentication strength from the drop down list.
User experience when authentication strength is enabled
In this scenario our user ‘John Smith’ has MFA enable with SMS authentication. There is an existing conditional access policy in place which enforces basic MFA only.
Currently when John Smith signs into office.com, he is challenged with an MFA code that is sent to his mobile phone every time.
As the administrator I am now going to change the existing conditional access policy to use my new authenticate strength policy.
Now we have changed the policy, when John Smith’s session expires or he signs in again, he is greeted with the following page:
Once he clicks Next, he is first asked to complete his existing authentication method of SMS:
Once he successfully authenticates with the code that is messaged to his mobile, he will be asked for more information:
Now he will be asked to setup the new authentication method of using the Microsoft Authenticator app which we set in our custom authentication strength:
Once the setup of the new authentication method he will get to the following screen:
Interestingly, the default sign-in method shows incorrect on this page, it is now the authenticator app and not ‘text’. Also, in my case, when I went through this process in a Chrome private browser, after clicking ‘Done’ I was in an endless loop of authenticating with the authenticator app and getting back to this same screen. I had to end my browser session and sign back in as normal, however the change did complete successfully.