NIST authenticator assurance level 1 with Microsoft Entra ID

Article
11/21/2024

The National Institute of Standards and Technology (NIST) develops technical requirements for US federal agencies implementing identity solutions. Organizations must meet these requirements when working with federal agencies.

Before you begin authenticator assurance level 1 (AAL1), you can review the following resources:

NIST overview: Understand AAL levels
Authentication basics: Terminology and authentication types
NIST authenticator types: Authenticator types
NIST AALs: AAL components, Microsoft Entra authentication methods, and Trusted Platform Modules (TPMs).

Permitted authenticator types

To achieve AAL1, you can use any NIST single-factor or multifactor permitted authenticator.

Microsoft Entra authentication method	NIST authenticator type
Password QR Code (PIN)	Memorized Secret
Phone (SMS): Not recommended	Single-factor out-of-band
Microsoft Authenticator app (Phone Sign-In)	Multi-factor out-of-band
Single-factor software certificate	Single-factor crypto software
Multi-factor software certificate Windows Hello for Business with software TPM	Multi-factor crypto software
Multi-factor hardware protected certificate FIDO 2 security key Platform SSO for macOS (Secure Enclave) Windows Hello for Business with hardware TPM Passkey in Microsoft Authenticator	Multi-factor crypto hardware

Tip

We recommend you select at a minimum phishing resistant AAL2 authenticators. Select AAL3 authenticators as necessary for business reasons, industry standards, or compliance requirements.

FIPS 140 validation

Verifier requirements

Microsoft Entra ID uses the Windows FIPS 140 Level 1 cryptographic module for its authentication cryptographic operations. It's therefore a FIPS 140-compliant verifier required by government agencies.

Man-in-the-middle resistance

Communications between the claimant and Microsoft Entra ID are over an authenticated, protected channel, to resist man-in-the-middle (MitM) attacks. This configuration satisfies the MitM-resistance requirements for AAL1, AAL2, and AAL3.

Next steps

NIST overview

Learn about AALs

Authentication basics

NIST authenticator types

Achieve NIST AAL1 with Microsoft Entra ID

Achieve NIST AAL2 with Microsoft Entra ID

Achieve NIST AAL3 with Microsoft Entra ID

Additional resources

Documentation

NIST authenticator assurance levels with Microsoft Entra ID - Microsoft Entra

An overview of authenticator assurance levels as applied to Microsoft Entra ID
Achieve NIST AAL3 by using Microsoft Entra ID - Microsoft Entra

This article provides guidance on achieving NIST authenticator assurance level 3 (AAL3) by using Microsoft Entra ID.
NIST authentication basics and Microsoft Entra ID - Microsoft Entra

This article has terminology definitions, describes Trusted Platform Modules, and lists NIST authentication factors
NIST authenticator types and aligned Microsoft Entra methods - Microsoft Entra

Explanations of how Microsoft Entra authentication methods align with NIST authenticator types.
Achieve NIST authenticator assurance levels with Microsoft Entra ID - Microsoft Entra

Use Microsoft Entra ID to meet NIST authenticator assurance levels.
Achieve NIST AAL2 with the Microsoft Entra ID - Microsoft Entra

Guidance on achieving NIST authenticator assurance level 2 (AAL2) with Microsoft Entra ID.

Training

Module

Manage authentication by using Microsoft Entra ID - Training

This module is designed to provide administrators with the knowledge and skills needed to manage authentication effectively using Microsoft Entra ID, ensuring secure access to resources and enhancing user experience.

Certification

Microsoft Certified: Identity and Access Administrator Associate - Certifications

Demonstrate the features of Microsoft Entra ID to modernize identity solutions, implement hybrid solutions, and implement identity governance.

Share via