How to setup Require Authentication Strength in Conditional Access

  • Post author:
  • Post category:Main
  • Post last modified:September 24, 2023
  • Reading time:7 mins read

The Require authentication strength access control in Azure AD conditional access is a new option for administrators to define which authentication methods can be used to access your environment or resource. It is there to ensure you can define the most secure methods and enforce them methods within your environment and to prevent the use of less secure methods of authentication.

Built-in options

There are 3 different built-in options to choose from when selecting an authentication strength in Conditional Access, those are MFA, Passwordless MFA and Phishing resistant MFA. Each option provided a different level of protection and they include the following:

  • Multi-Factor Authentication strength:
    • FIDO2
    • Windows Hello for Business
    • Certificate-based authentication
    • Microsoft Authenticator
    • Temporary Access Pass
    • Password & something you have
    • Federated single-factor & something you have
    • Federated Mulit-factor
  • Passwordless MFA strength
    • FIDO2 security key
    • Windows Hello for business
    • Certificate-based authentication
    • Microsoft Authenticator
  • Phishing-resistant MFA strength
    • FIDO2 security key
    • Windows Hello for Business
    • Certificate-based authentication

How to create a custom Authentication strength for conditional access

All well as the default built-in controls I have listed above, you can also created your own custom authentication strength that can include a mixture of the authentication methods above. Follow the below steps to create a custom authentication method.

  1. Login to the Azure Active Directory management portal at aad.portal.azure.com.

2. Select Azure Active Directory

Authentication strength select aad

3. Under the Manage heading, select Security

Authentication strength select security

4. Select Authentication methods

5. Select Authentication strengths

6. Click on New authentication strength and a new pop-out window will appear from the right. Start by giving your new authentication strength a meaningful name.

Authentication strength select new authentication strengths

7. Choose your desired authentication methods from the options list and click Next. This will bring you to the Review tab, where you can confirm your selections and click Create.

8. You will now see your new authentication strength in the list with the type of custom. Currently it will show as not configured in any policy yet.

How to apply your custom authentication strength to a policy

  1. Open conditional access within your Azure Active Directory management portal.

2. Click New policy or select one of your existing policies.

apply to new policy

3. Under access controls, select Grant > Require authentication strength and select your new custom authentication strength from the drop down list.

Require authentication strength

User experience when authentication strength is enabled

In this scenario our user ‘John Smith’ has MFA enable with SMS authentication. There is an existing conditional access policy in place which enforces basic MFA only. 

Currently when John Smith signs into office.com, he is challenged with an MFA code that is sent to his mobile phone every time.

As the administrator I am now going to change the existing conditional access policy to use my new authenticate strength policy.

Now we have changed the policy, when John Smith’s session expires or he signs in again, he is greeted with the following page:

Once he clicks Next, he is first asked to complete his existing authentication method of SMS:

Once he successfully authenticates with the code that is messaged to his mobile, he will be asked for more information:

Now he will be asked to setup the new authentication method of using the Microsoft Authenticator app which we set in our custom authentication strength:

jsmith final prompt

Once the setup of the new authentication method he will get to the following screen:

authentication change success

Interestingly, the default sign-in method shows incorrect on this page, it is now the authenticator app and not ‘text’. Also, in my case, when I went through this process in a Chrome private browser, after clicking ‘Done’ I was in an endless loop of authenticating with the authenticator app and getting back to this same screen. I had to end my browser session and sign back in as normal, however the change did complete successfully.

Daniel Bradley

My name is Daniel Bradley and I work with Microsoft 365 and Azure as an Engineer and Consultant. I enjoy writing technical content for you and engaging with the community. All opinions are my own.

Leave a Reply