Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Authentication is the process of verifying a person's identity before granting access to a resource, application, service, device, or network. It's how a system makes sure users are who they say they are when they try to sign in.
Authentication methods supported by Microsoft Entra ID
The following table outlines when an authentication method can be used for primary or first factor authentication, secondary factor authentication when you use Microsoft Entra multifactor authentication (MFA) and for self-service password reset (SSPR).
| Method | Primary authentication | Secondary authentication |
|---|---|---|
| Windows Hello for Business | Yes | MFA1 |
| Platform Credential for macOS | Yes | MFA |
| Passkey (FIDO2) | Yes | MFA |
| Passkey in Microsoft Authenticator | Yes | MFA |
| Synced passkey (preview) | Yes | MFA |
| Certificate-based authentication | Yes | MFA |
| Microsoft Authenticator passwordless | Yes | No |
| Microsoft Authenticator push notifications | Yes | MFA and SSPR |
| Authenticator Lite | No | MFA |
| Hardware OATH tokens (preview) | No | MFA and SSPR |
| Software OATH tokens | No | MFA and SSPR |
| External authentication methods (preview) | No | MFA |
| Temporary Access Pass (TAP) | Yes | MFA |
| Short Message Service (SMS) sign-in | Yes | MFA and SSPR |
| Voice call | No | MFA and SSPR |
| QR code | Yes | No |
| Password | Yes | No |
1Windows Hello for Business can serve as a step-up MFA credential if a user is enabled for passkey (FIDO2) and has a passkey registered.
Phishing-resistant authentication methods
While traditional MFA with SMS, email OTP or authenticator apps significantly improves security over password-only systems, these options introduce friction—requiring additional steps for users, like entering codes, approving push notifications, or using authenticator apps. Moreover, these options for MFA are prone to remote phishing attacks. Remote phishing is where attackers use social engineering and AI-driven tools to steal identity credentials—like passwords or one-time codes—without physical access to a user's device.
Microsoft recommends using phishing-resistant authentication methods such as Windows Hello for Business, passkeys (FIDO2) and FIDO2 security keys, or certificate-based authentication (CBA) because they provide the most secure sign-in experience.
The following phishing-resistant authentication methods are available in Microsoft Entra ID.
- Windows Hello for Business
- Platform Credential for macOS
- Synced passkeys (FIDO2) (preview)
- FIDO2 security keys
- Passkeys in Microsoft Authenticator
- Certificate-based authentication (CBA)
High assurance account recovery
Account recovery is the process where users have lost all their credentials and can't access their account anymore. The traditional way to help users recover their credentials includes the user calling helpdesk, where they answer some questions to verify their identity, which allows helpdesk to reset their credentials. Microsoft Entra ID now supports government-issued ID and biometric verification, which offers AI powered biometric match against government issued IDs for high-assurance account recovery.
Organizations can choose amongst the leading identity verification providers (IDV) via Microsoft Security Store: Idemia, Lexis Nexis, and Au10tix. These partners offer coverage across 192 countries/regions and remote verification for most government issued identity (Gov ID) documents, including driver's licenses and passports. Entra Verified ID Face Check, powered by Azure AI services, adds a critical layer of trust by matching a user’s real-time selfie and the photo from their identity document. By sharing only the match results and not any sensitive identity data, Face Check improves user privacy while allowing enterprises to be sure the person claiming an identity is really them.
Once enabled, this capability enables a natively integrated end-to-end flow for users to easily and securely regain access to their accounts. For more information, see Overview of Microsoft Entra ID Account Recovery.