Ask Downloads
Domain 1 β€” Module 7 of 10 70%
7 of 28 overall
Domain 1: M365 Core Features & Objects Free ⏱ ~12 min read

Authentication: Passwords, MFA & Beyond

Authentication is how M365 proves you are who you say you are. From passwords to passkeys, MFA to passwordless β€” know the methods, know the risks.

Authentication vs authorisation

Simple explanation

Authentication = β€œWho are you?” Authorisation = β€œWhat are you allowed to do?”

Think of a hotel. Authentication is the front desk checking your ID and giving you a room key. Authorisation is what that key opens β€” your room (yes), the pool (yes), the staff kitchen (no).

In M365: authentication verifies your identity (password + MFA). Authorisation decides what you can access (based on your licenses, group memberships, and policies).

Authentication methods in Microsoft 365

Authentication methods ranked by security
FeatureSecurity LevelUser ExperienceCommon Use
Password onlyπŸ”΄ Low (easily phished)Familiar but riskyLegacy β€” being phased out
Password + MFA🟑 Good (blocks most attacks)Extra step but manageableCurrent standard for most orgs
Microsoft Authenticator🟒 Strong (push notification)Tap to approve on phoneRecommended MFA method
FIDO2 security key🟒 Very strong (phishing-resistant)Physical key, tap to sign inHigh-security roles
Windows Hello for Business🟒 Very strong (biometric/PIN)Face, fingerprint, or PINCorporate-managed Windows devices
Certificate-based auth🟒 Strong (smart cards)Insert card + PINGovernment, regulated industries
Passkeys🟒 Very strong (phishing-resistant)Biometric or device unlockThe future β€” replacing passwords

Key exam concept: Passwords alone are NOT secure. The exam always favours MFA or passwordless methods. If a question asks β€œwhat should the admin enable to improve security?” β€” the answer almost always involves MFA or a stronger method.

Multi-Factor Authentication (MFA)

MFA requires two or more factors from different categories:

FactorCategoryExample
Something you knowKnowledgePassword, PIN
Something you havePossessionPhone (Authenticator app), security key
Something you areBiometricFingerprint, face recognition

MFA works because even if an attacker steals your password (something you know), they still need your phone (something you have) to complete sign-in.

Scenario: Brew & Byte enables MFA

Brew & Byte has 30 employees and never used MFA. After a phishing email nearly compromised Kai’s account, they decide to enable it:

  1. Microsoft Entra admin center β†’ Protection β†’ Multifactor authentication
  2. Enable Security defaults (free, enables MFA for all users automatically)
  3. All users register Microsoft Authenticator on their phones
  4. Sign-in now requires: password + Authenticator approval

Result: Even when Zoe (the designer) clicks a phishing link and enters her password on a fake site, the attacker can’t complete sign-in because they don’t have Zoe’s phone.

Cost: $0 β€” Security defaults are free and included in every M365 plan.

Passwordless authentication β€” the future

Microsoft is moving towards passwordless authentication:

  • Microsoft Authenticator (passwordless mode) β€” tap to approve, no password needed
  • FIDO2 security keys β€” physical USB/NFC key, phishing-resistant
  • Windows Hello for Business β€” face, fingerprint, or PIN tied to the device
  • Passkeys β€” cross-platform, phishing-resistant, biometric-based
Why passwordless is more secure

Passwords are the weakest link because:

  • Users reuse them across sites
  • They can be phished (fake login pages)
  • They can be brute-forced or sprayed
  • They can be leaked in data breaches

Passwordless methods eliminate passwords entirely. A FIDO2 key or Windows Hello credential is tied to a specific device, can’t be phished (it verifies the website’s identity too), and can’t be reused on other sites.

Exam tip: If a question asks about β€œphishing-resistant authentication” β†’ the answer is FIDO2 security keys, Windows Hello for Business, or passkeys. NOT Authenticator app (which is strong but not phishing-resistant by default).

Self-Service Password Reset (SSPR)

SSPR lets users reset their own passwords without calling the helpdesk:

  • Configured in Microsoft Entra admin center β†’ Protection β†’ Password reset
  • Users register recovery methods (phone, email, security questions)
  • Reduces helpdesk calls by 20-40% in most organisations

Exam note: SSPR is about convenience AND security. It reduces the risk of helpdesk-based social engineering attacks (attacker calls helpdesk pretending to be the user).

🎬 Video walkthrough

Flashcards

Question

What's the difference between authentication and authorisation?

Click or press Enter to reveal answer

Answer

Authentication (AuthN) = verifying WHO you are (password, MFA, biometric). Authorisation (AuthZ) = determining WHAT you can access (roles, groups, policies, licenses).

Click to flip back
Question

What are the three factors used in multi-factor authentication?

Click or press Enter to reveal answer

Answer

1) Something you know (password, PIN). 2) Something you have (phone, security key). 3) Something you are (fingerprint, face). MFA requires two or more from different categories.

Click to flip back
Question

What makes FIDO2 security keys phishing-resistant?

Click or press Enter to reveal answer

Answer

FIDO2 keys verify the website's identity as part of authentication β€” if the site is fake (phishing), the key won't work. The credential is also tied to the specific device and can't be exported or reused.

Click to flip back

Knowledge Check

Knowledge Check

Clearfield Council requires phishing-resistant authentication for all councillors accessing sensitive systems. Which method should Director Chen deploy?
Knowledge Check

An employee's password is compromised in a data breach. They also use Microsoft Authenticator for MFA. Can the attacker sign in to their M365 account?

Next up: Microsoft Defender XDR β€” the threat protection and intelligence platform that watches for attacks across your entire M365 environment.