NIST authenticator assurance level 1 with Azure Active Directory
The National Institute of Standards and Technology (NIST) develops technical requirements for US federal agencies implementing identity solutions. Organizations must meet these requirements when working with federal agencies.
Before you begin authenticator assurance level 1 (AAL1), you can review the following resources:
- NIST overview: Understand AAL levels
- Authentication basics: Terminology and authentication types
- NIST authenticator types: Authenticator types
- NIST AALs: AAL components, Azure Active Directory (Azure AD) authentication methods, and Trusted Platform Modules (TPMs).
Permitted authenticator types
To achieve AAL1, you can use any NIST single-factor or multifactor permitted authenticator. Note that Password and Phone (SMS) are not covered in AAL2 or AAL3.
| Azure AD authentication method | NIST authenticator type |
|---|---|
| Password | memorized secret |
| Phone (SMS) | out-of-band |
| FIDO 2 security key Microsoft Authenticator app for iOS (passwordless) Windows Hello for Business with software TPM Smartcard (Active Directory Federation Services) |
Multi-factor crypto software |
Tip
We recommend you meet at least AAL2. If necessary, meet AAL3 for business reasons, industry standards, or compliance requirements.
FIPS 140 validation
Verifier requirements
Azure AD uses the Windows FIPS 140 Level 1 cryptographic module for its authentication cryptographic operations. It's therefore a FIPS 140-compliant verifier required by government agencies.
Man-in-the-middle resistance
Communications between the claimant and Azure AD are over an authenticated, protected channel, to resist man-in-the-middle (MitM) attacks. This configuration satisfies the MitM-resistance requirements for AAL1, AAL2, and AAL3.
Next steps
Achieve NIST AAL1 with Azure AD
Feedback
Submit and view feedback for