Meet multifactor authentication requirements of memorandum 22-09

Learn about using Microsoft Entra ID as the centralized identity management system when implementing Zero Trust principles. See, US Office of Management and Budget (OMB) M 22-09 Memorandum for the Heads of Executive Departments and Agencies.

The memo requirements are that employees use enterprise-managed identities to access applications, and that multifactor authentication protects employees from sophisticated online attacks, such as phishing. This attack method attempts to obtain and compromise credentials, with links to inauthentic sites.

Multifactor authentication prevents unauthorized access to accounts and data. The memo requirements cite multifactor authentication with phishing-resistant methods: authentication processes designed to detect and prevent disclosure of authentication secrets and outputs to a website or application masquerading as a legitimate system. Therefore, establish what multifactor authentication methods qualify as phishing-resistant.

Phishing-resistant methods

Some federal agencies have deployed modern credentials such as FIDO2 security keys or Windows Hello for Business. Many are evaluating Microsoft Entra authentication with certificates.

Learn more:

Some agencies are modernizing their authentication credentials. There are multiple options for meeting phishing-resistant multifactor authentication requirements with Microsoft Entra ID. Microsoft recommends adopting phishing-resistant multifactor authentication method that matches the agency capabilities. Consider what's possible now for phishing-resistance multifactor authentication to improve the overall cybersecurity posture. Implement modern credentials. However, if the quickest path isn't a modern approach, take the step to begin the journey toward modern approaches.

Diagram of Microsoft Entra phishing-resistant multifactor authentication methods.

Modern approaches

Protection from external phishing

Microsoft Authenticator and Conditional Access policies enforce managed devices: Microsoft Entra hybrid joined devices or devices marked as compliant. Install Microsoft Authenticator on devices accessing applications protected by Microsoft Entra ID.

Learn more: Authentication methods in Microsoft Entra ID - Microsoft Authenticator app


To meet the phishing-resistant requirement: Manage only the devices accessing the protected application. Users allowed to use Microsoft Authenticator are in scope for Conditional Access policy requiring managed devices for access. A Conditional Access policy blocks access to the Microsoft Intune Enrollment Cloud App. Users allowed to use Microsoft Authenticator are in scope for this Conditional Access policy. Use the same group(s) to allow Microsoft Authenticator authentication in Conditional Access policies to ensure that users enabled for the authentication method are in scope for both policies. This Conditional Access policy prevents the most significant vector of phishing threats from malicious external actors. It also prevents malicious actor from phishing Microsoft Authenticator to register a credential, or join a device and enroll it in Intune to mark it as compliant.

Learn more:


Microsoft Authenticator isn't phishing-resistant. Configure Conditional Access policy to require that managed devices get protection from external phishing threats.


Federated identity providers (IdPs) such as Active Directory Federation Services (AD FS) configured with phishing-resistant method(s). While agencies achieve phishing resistance with federated IdP, it adds cost, complexity, and risk. Microsoft encourages the security benefits of Microsoft Entra ID an IdP, removing the associated risk of a federated IdP

Learn more:

Phishing-resistant method considerations

Your current device capabilities, user personas, and other requirements might dictate multi-factor methods. For example, FIDO2 security keys with USB-C support require devices with USB-C ports. Consider the following information when evaluating phishing-resistant multifactor authentication:

  • Device types and capabilities you can support: kiosks, laptops, mobile phones, biometric readers, USB, Bluetooth, and near-field communication devices
  • Organizational user personas: front-line workers, remote workers with and without company-owned hardware, administrators with privileged access workstations, and business-to-business guest users
  • Logistics: distribute, configure, and register multifactor authentication methods such as FIDO2 security keys, smart cards, government-furnished equipment, or Windows devices with TPM chips
  • Federal Information Processing Standards (FIPS) 140 validation at an authenticator assurance level: some FIDO security keys are FIPS 140 validated at levels for AAL3 set by NIST SP 800-63B

Implementation considerations for phishing-resistant multifactor authentication

See the following sections for support of implementing phishing-resistant methods for application and virtual device sign-in.

Application sign-in scenarios from various clients

The following table details the availability of phishing-resistant multifactor authentication scenarios, based on the device type that's used to sign in to the applications:

Device AD FS as a federated IdP with certificate authentication Microsoft Entra certificate authentication FIDO2 security keys Windows Hello for Business Microsoft Authenticator with Conditional Access policies enforcing Microsoft Entra hybrid join or compliant devices
Windows device Checkmark with solid fill Checkmark with solid fill Checkmark with solid fill Checkmark with solid fill Checkmark with solid fill
iOS mobile device Checkmark with solid fill Checkmark with solid fill Not applicable Not applicable Checkmark with solid fill
Android mobile device Checkmark with solid fill Checkmark with solid fill Not applicable Not applicable Checkmark with solid fill
macOS device Checkmark with solid fill Checkmark with solid fill Edge/Chrome Not applicable Checkmark with solid fill

Learn more: Browser support for FIDO2 passwordless authentication

Virtual device sign-in scenarios that require integration

To enforce phishing-resistant multifactor authentication, integration might be necessary. Enforce multifactor authentication for users accessing applications and devices. For the five phishing-resistant multifactor authentication types, use the same features to access the following device types:

Target system Integration actions
Azure Linux virtual machine (VM) Enable the Linux VM for Microsoft Entra sign-in
Azure Windows VM Enable the Windows VM for Microsoft Entra sign-in
Azure Virtual Desktop Enable Azure Virtual Desktop for Microsoft Entra sign-in
VMs hosted on-premises or in other clouds Enable Azure Arc on the VM and then enable Microsoft Entra sign-in. Currently in private preview for Linux. Support for Windows VMs hosted in these environments is on our roadmap.
Non-Microsoft virtual desktop solution Integrate the virtual desktop solution as an app in Microsoft Entra ID

Enforcing phishing-resistant multifactor authentication

Use Conditional Access to enforce multifactor authentication for users in your tenant. With the addition of cross-tenant access policies, you can enforce it on external users.

Learn more: Overview: Cross-tenant access with Microsoft Entra External ID

Enforcement across agencies

Use Microsoft Entra B2B collaboration to meet requirements that facilitate integration:

  • Limit what other Microsoft tenants your users access
  • Allow access to users you don't have to manage in your tenant, but enforce multifactor authentication and other access requirements

Learn more: B2B collaboration overview

Enforce multifactor authentication for partners and external users who access organizational resources. This action is common in inter-agency collaboration scenarios. Use Microsoft Entra cross-tenant access policies to configure multifactor authentication for external users who access applications and resources.

Configure trust settings in cross-tenant access policies to trust the multifactor authentication method the guest user tenant uses. Avoid having users register a multifactor authentication method with your tenant. Enable these policies on a per-organization basis. You can determine the multifactor authentication methods in the user home tenant and decide if they meet phishing resistance requirements.

Password policies

The memo requires organizations to change ineffective password policies, such as complex, rotated passwords. Enforcement includes removing the requirement for special characters and numbers, with time-based password rotation policies. Instead, consider the following options:

Although the memo isn't specific about policies to use with passwords, consider the standard from NIST 800-63B.

See, NIST Special Publication 800-63B, Digital Identity Guidelines.

Next steps