Build resilience with credential management
When a credential is presented to Microsoft Entra ID in a token request, there can be multiple dependencies that must be available for validation. The first authentication factor relies on Microsoft Entra authentication and, in some cases, on external (non-Entra ID) dependency, such as on-premises infrastructure. For more information on hybrid authentication architectures, see Build resilience in your hybrid infrastructure.
The most secure and resilient credential strategy is to use passwordless authentication. Windows Hello for Business and Passkey (FIDO 2.0) security keys have fewer dependencies than other MFA methods. For macOS users customers can enable Platform Credential for macOS. When you implement these methods users are able to perform strong passwordless and phishing-resistant Multi-Factor authentication (MFA).
Tip
For a video series deep dive on deploying these authentication methods, see Phishing-resistant authentication in Microsoft Entra ID
If you implement a second factor, the dependencies for the second factor are added to the dependencies for the first. For example, if your first factor is via Pass Through Authentication (PTA) and your second factor is SMS, your dependencies are as follows.
- Microsoft Entra authentication services
- Microsoft Entra multifactor authentication service
- On-premises infrastructure
- Phone carrier
- The user's device (not pictured)
Your credential strategy should consider the dependencies of each authentication type and provision methods that avoid a single point of failure.
Because authentication methods have different dependencies, it's a good idea to enable users to register for as many second factor options as possible. Be sure to include second factors with different dependencies, if possible. For example, Voice call and SMS as second factors share the same dependencies, so having them as the only options doesn't mitigate risk.
For second factors, the Microsoft Authenticator app or other authenticator apps using time-based one time passcode (TOTP) or OAuth hardware tokens have the fewest dependencies and are, therefore, more resilient.
Authentication Method | External (Non-Entra) Dependency | More Information |
---|---|---|
Certificate Based Authentication (CBA) | In most cases (depending on configuration) CBA will require a revocation check. This adds an external dependency on the CRL distribution point (CDP) | Understanding the certificate revocation process |
Pass Through Authentication (PTA) | PTA uses on-premise agents to process the password authentication. | How does Microsoft Entra pass-through authentication work? |
Federation | Federation server(s) must be online and available to process the authentication attempt | High availability cross-geographic AD FS deployment in Azure with Azure Traffic Manager |
External Authentication Methods (EAM) | EAM provides a path for customers to use external MFA providers. | Manage an external authentication method in Microsoft Entra ID (Preview) |
Provisioning multiple credential types gives users options that accommodate their preferences and environmental constraints. As a result, interactive authentication where users are prompted for multifactor authentication will be more resilient to specific dependencies being unavailable at the time of the request. You can optimize reauthentication prompts for multifactor authentication.
In addition to individual user resiliency described above, enterprises should plan contingencies for large-scale disruptions such as operational errors that introduce a misconfiguration, a natural disaster, or an enterprise-wide resource outage to an on-premises federation service (especially when used for multifactor authentication).
- Deploy Passwordless credentials. Prefer phishing-resistant methods such as Windows Hello for Business, Passkeys (both Authenticator Passkey Sign-in and FIDO2 security keys) and certificate based authentication (CBA) to increase security while reducing dependencies.
- Deploy the Microsoft Authenticator App as a second factor.
- Migrate from federation to cloud authentication to remove reliance on federated identity provider.
- Turn on password hash synchronization for hybrid accounts that are synchronized from Windows Server Active Directory. This option can be enabled alongside federation services such as Active Directory Federation Services (AD FS) and provides a fallback in case the federation service fails.
- Analyze usage of multifactor authentication methods to improve user experience.
- Implement a resilient access control strategy