Authentication Methods: Plan & Implement
Plan and implement authentication methods in Entra ID β from certificate-based auth to Temporary Access Pass, OAuth tokens, and Microsoft Authenticator.
Planning your authentication strategy
Authentication methods are the ways you prove you are who you say you are β like showing ID at a hotel check-in.
A hotel might accept your passport, driverβs licence, or a temporary guest code the concierge gave you over the phone. Each method has trade-offs: a passport is very secure but slow to replace; a temporary code is fast but expires quickly.
Entra ID works the same way. You choose which βIDsβ your organisation accepts β passwords, certificates, authenticator app, temporary passes β and who gets to use each one.
The authentication methods landscape
| Method | Strength | Use Case |
|---|---|---|
| Password | Weakest (standalone) | Legacy default β always pair with MFA |
| SMS / Voice call | Low | Backup only β vulnerable to SIM swap |
| Microsoft Authenticator | Strong | Push notifications with number matching |
| FIDO2 security keys | Very strong | Passwordless, phishing-resistant |
| Certificate-based auth (CBA) | Very strong | Government, regulated industries |
| Temporary Access Pass (TAP) | Time-limited | Onboarding, device setup, recovery |
| Windows Hello for Business | Very strong | Passwordless on Windows devices |
| OAuth 2.0 tokens | Varies | App-to-app, API access |
Authentication methods policy
The Authentication methods policy in Entra replaces the legacy per-user MFA settings. Key concepts:
- Enable per method β turn individual methods on/off for all users or specific groups
- Registration campaigns β nudge users to set up Authenticator (weβll cover this in the MFA module)
- Migration guide β Entra provides a migration status showing whether youβve fully moved from legacy MFA settings to the new policy
Exam tip: legacy MFA vs authentication methods policy
The exam tests whether you know the difference between two places where MFA methods are configured:
- Legacy: per-user MFA settings (the old portal at
aka.ms/mfasetup) β methods enabled globally for all users - Modern: Authentication methods policy (Entra admin center β Protection β Authentication methods) β granular, group-targeted, supports passwordless
Microsoft is migrating everyone to the modern policy. The legacy settings will be deprecated. If an exam question asks about enabling a method βfor a specific group of users,β the answer is the Authentication methods policy.
Certificate-based authentication (CBA)
Certificate-based authentication lets users sign in using an X.509 certificate on a smart card or device β no password needed.
How it works:
- Admin uploads trusted CA certificates to Entra ID
- Configure CBA authentication rules (which certificate fields map to which user attributes)
- User presents their certificate (smart card, device certificate, or virtual smart card)
- Entra validates the certificate chain, checks revocation (CRL/OCSP), and maps the certificate to a user account
Key configuration decisions:
| Setting | Options | Notes |
|---|---|---|
| Username binding | PrincipalName, RFC822Name, Subject, SHA1PublicKey | Maps certificate field β Entra user attribute |
| Authentication strength | Single-factor or multi-factor | Multi-factor CBA counts as phishing-resistant MFA |
| Revocation checking | CRL, OCSP | OCSP is checked first if configured |
| Affinity binding | Required or low | Whether certificate must match at the issuer or exact certificate level |
Scenario: Anika plans CBA for a government client
Anikaβs government client issues PIV (Personal Identity Verification) smart cards to all employees. Federal policy requires phishing-resistant MFA for all cloud access.
Her plan:
- Upload the government CA chain (root + intermediate CAs) to Entra ID
- Configure username binding: PrincipalName β userPrincipalName in Entra
- Set authentication strength to multi-factor (smart card + PIN counts as two factors)
- Enable CRL distribution point checking for revocation
- Create a Conditional Access policy requiring βphishing-resistant MFAβ β CBA satisfies this
Result: Users insert smart card, enter PIN, and theyβre in. No passwords, no phone-based MFA. Meets federal compliance requirements.
Temporary Access Pass (TAP)
A Temporary Access Pass is a time-limited passcode issued by an admin. Itβs designed for scenarios where users canβt use their normal authentication methods.
Common scenarios:
- Onboarding β new employee needs to sign in before theyβve set up Authenticator or FIDO2
- Lost device β user lost their phone with Authenticator, needs to sign in to register a new device
- FIDO2 recovery β userβs security key broke, needs temporary access while a replacement arrives
- Windows Hello for Business setup β some WHfB deployment models require TAP for initial provisioning
TAP settings:
| Setting | Default | Range |
|---|---|---|
| Minimum lifetime | 1 hour | 10 minutes β 30 days |
| Maximum lifetime | 24 hours | 10 minutes β 30 days |
| Default lifetime | 1 hour | Within min/max range |
| One-time use | No | Yes / No |
Scenario: Jake onboards a new designer at Coastline
New designer Sofia starts Monday. Jake needs her to sign in, set up MFA, and register her MacBook β but she canβt set up Authenticator until she signs in for the first time.
Jakeβs approach:
- Creates a TAP for Sofia in the Entra admin center (Users β Sofia β Authentication methods β Add)
- Sets lifetime to 2 hours, one-time use enabled
- Sends Sofia the TAP via a secure channel (encrypted email or in-person)
- Sofia signs in with her UPN + TAP code
- During sign-in, sheβs prompted to register Authenticator (TAP satisfies MFA for registration)
- The TAP expires after use β from now on, Sofia uses Authenticator
Key insight: TAP can satisfy the MFA requirement for registering other methods. This solves the βchicken-and-eggβ problem of needing MFA to register MFA.
OAuth 2.0 tokens
OAuth 2.0 is the protocol behind how apps get authorised access to resources without seeing the userβs password. You wonβt configure OAuth from scratch β Entra handles it β but you need to understand token types:
| Token | Purpose | Lifetime |
|---|---|---|
| Access token | Presented to a resource (API) to prove authorisation | Default 60β90 min (configurable) |
| Refresh token | Exchanged for a new access token when the current one expires | Default 90 days (rolling) |
| ID token | Contains claims about the userβs identity (used by the app) | Matches access token lifetime |
| Primary Refresh Token (PRT) | Device-level token for SSO across all apps on a joined device | Tied to device registration |
Token lifetime policies are largely deprecated. You cannot customise refresh token or session token lifetimes via token lifetime policies (deprecated January 2021). Access token lifetimes can still be adjusted (10 min to 1 day), but the exam-expected approach is Conditional Access session controls.
Exam tip: use CA session controls, not token lifetime policies
Token lifetime policies for refresh and session tokens are deprecated. For controlling session behaviour, use Conditional Access session controls instead:
- Sign-in frequency β how often users must re-authenticate (e.g., every 8 hours)
- Persistent browser session β whether the session survives browser close
Access and ID token lifetimes can still be configured (10 min to 1 day, default ~1 hour), but these are edge cases. The exam answer is almost always CA session controls.
Microsoft Authenticator
The Authenticator app is the centrepiece of Microsoftβs modern MFA strategy.
Modes:
- Push notification β user approves/denies on their phone (with number matching)
- Passwordless phone sign-in β no password entered; user matches number and uses biometric/PIN
- TOTP codes β 6-digit time-based codes (works offline)
Number matching (enabled by default): When a user gets a push notification, the sign-in screen shows a two-digit number. The user must type that number in the Authenticator app. This prevents MFA fatigue attacks (where attackers spam push notifications hoping the user taps βApproveβ).
Additional context (enabled by default): The push notification shows the app name and approximate location (city) of the sign-in attempt. Helps users identify suspicious requests.
Scenario: Jake sets up Authenticator for Coastline Creative
Coastline Creative has been using SMS for MFA. Jake wants to upgrade everyone to Authenticator.
His plan:
- Enable Microsoft Authenticator in the Authentication methods policy
- Configure: push notifications ON, number matching ON, additional context ON
- Use a registration campaign (nudge) to prompt users to set up Authenticator at next sign-in
- Give the team 30 days to switch β most will do it after the first nudge
- After 30 days, disable SMS as an MFA method
Why the switch matters: SMS is vulnerable to SIM swapping. One of Coastlineβs freelancers had their number hijacked last year. Authenticator with number matching is phishing-resistant and doesnβt rely on carrier security.
π¬ Video walkthrough
Flashcards
Knowledge Check
A new employee needs to sign in and register for MFA, but they can't set up MFA without first signing in. How should the admin resolve this?
A government agency requires phishing-resistant MFA for all cloud access. Employees have PIV smart cards. Which authentication method should the identity admin configure?
Jake wants to move Coastline Creative from SMS-based MFA to Microsoft Authenticator. He needs most users to switch within 30 days without forcing an immediate cutover. What should he configure?
Next up: Passwordless & Windows Hello for Business β eliminate passwords entirely with FIDO2 passkeys, Windows Hello, and Entra Kerberos for hybrid environments.