Configuring Phishing‑Resistant MFA (PR‑MFA) in Entra ID Conditional Access
|
Field |
Details |
|
Document Type |
How-To Guide - Configure Phishing‑Resistant MFA (PR‑MFA) |
|
Applies To |
Microsoft Entra ID, Conditional Access policy |
|
Audience |
2nd Line / Entra ID Admins / IT Engineer |
|
Author |
AK. Udofeh |
|
Last Updated |
March 2026 |
Overview
Phishing‑Resistant MFA (PR‑MFA) is the strongest authentication assurance level available in Microsoft Entra ID. It requires cryptographically bound authentication methods such as FIDO2 security keys, device‑bound passkeys, or Windows Hello for Business.
Microsoft formally introduced Phishing‑resistant MFA Authentication Strength as part of Conditional Access by 2025. This prevents attackers from bypassing MFA via techniques like real‑time phishing proxies, MFA fatigue, push spam, or OTP interception.
Use Cases
Use PR‑MFA for:
- Administrators and privileged roles (Global Admin, Security Admin, Conditional Access Admin)
- Users accessing high‑value or regulated workloads
- Teams handling sensitive data: finance, HR, legal
- Zero‑Trust access strategies requiring high authentication assurance
Prerequisites
Licensing
- Microsoft Entra ID P1/P2 (Authentication Strengths supported).
Technical Requirements
- Supported phishing‑resistant methods enabled (FIDO2, Windows Hello, Passkeys).
- Users must have registered a phishing‑resistant method before enforcement to avoid lockouts
Supported Authenticators
- FIDO2 security keys (hardware)
- Windows Hello for Business
- Device‑bound passkeys (Windows/macOS/iOS/Android, depending on platform)
Do not enforce PR‑MFA without ensuring users have registered the required method. Risk of tenant lockout. Break‑glass (emergency access) accounts must be excluded. Legacy apps that do not support modern authentication may require exceptions or re‑architecture.
Step‑by‑Step Configuration
Step 1: Enable Phishing‑Resistant Authentication Methods
- Go to Entra Admin Center > Identity > Protection > Authentication Methods.
- Enable: Passkeys (FIDO2) and Windows Hello for Business
Step 2: Create a Security Group for Pilot Users
- Create a group like PR‑MFA‑Pilot.
- Add admin users or a testing cohort.
Step 3: Configure Authentication Strength
- Go to Identity > Protection > Conditional Access > Authentication Strengths.
- Select Phishing‑resistant MFA strength.
This explicitly enforces device‑bound cryptographic methods.
Step 4: Create the PR‑MFA Conditional Access Policy
- Go to Conditional Access > Policies > + New Policy.
- Name: Require Phishing‑Resistant MFA
- Assignments:
- Users: select PR‑MFA‑Pilot group
- Cloud apps: All cloud apps (recommended for admins)
- Access Controls > Grant > Require Authentication Strength
- Select Phishing‑resistant MFA
- Enable policy = Report‑only (first phase).
- After validation, switch to ON.
Validation Steps
- Validate sign‑in logs to confirm Phishing‑Resistant MFA was the effective control.
Entra Admin Center > Monitoring & Logs > Sign‑in logs. - Test phishing‑resistant methods:
- FIDO2 key
- Windows Hello
- Device‑bound passkey
These should satisfy the authentication requirement if configured correctly.
====================== Troubleshooting =========================
| Issue | Resolution |
|---|---|
| Users locked out | Confirm registration at https://aka.ms/mysecurityinfo and exclude user temporarily |
| FIDO2 key not accepted | Ensure attestation not restricted & key model supported |
| Windows Hello not offered | Check if device is Entra‑joined/registered |
| App can't satisfy PR‑MFA | App may be legacy / does not support modern auth |