Pelayar ini tidak lagi disokong.
Naik taraf kepada Microsoft Edge untuk memanfaatkan ciri, kemas kini keselamatan dan sokongan teknikal yang terkini.
Microsoft recommends passwordless authentication methods such as Windows Hello, Passkeys (FIDO2), and the Microsoft Authenticator app because they provide the most secure sign-in experience. Although a user can sign-in using other common methods such as a username and password, passwords should be replaced with more secure authentication methods.
Microsoft Entra multifactor authentication adds another layer of security over only using a password when a user signs in. The user can be prompted for other forms of authentication, such as to respond to a push notification, enter a code from a software or hardware token, or respond to a text message or phone call.
To simplify the user on-boarding experience and register for both MFA and self-service password reset (SSPR), we recommend you enable combined security information registration. For resiliency, we recommend that you require users to register multiple authentication methods. When one method isn't available for a user during sign-in or SSPR, they can choose to authenticate with another method. For more information, see Create a resilient access control management strategy in Microsoft Entra ID.
Some authentication methods can be used as the primary factor when you sign in to an application or device, such as using a FIDO2 security key or a password. Other authentication methods are only available as a secondary factor when you use Microsoft Entra multifactor authentication or SSPR.
The following table outlines when an authentication method can be used during a sign-in event:
| Method | Primary authentication | Secondary authentication |
|---|---|---|
| Windows Hello for Business | Yes | MFA1 |
| Microsoft Authenticator push | No | MFA and SSPR |
| Microsoft Authenticator passwordless | Yes | No2 |
| Microsoft Authenticator passkey | Yes | MFA |
| Authenticator Lite | No | MFA |
| Passkey (FIDO2) | Yes | MFA |
| Certificate-based authentication (CBA) | Yes | MFA |
| Hardware OATH tokens (preview) | No | MFA and SSPR |
| Software OATH tokens | No | MFA and SSPR |
| External authentication methods (preview) | No | MFA |
| Temporary Access Pass (TAP) | Yes | MFA |
| Text | Yes | MFA and SSPR |
| Voice call | No | MFA and SSPR |
| QR code (preview) | Yes | No |
| Password | Yes | No |
1Windows Hello for Business can serve as a step-up MFA credential if it's used in FIDO2 authentication. Users need to be registered for passkey (FIDO2).
2Passwordless sign-in can be used for secondary authentication only if CBA is used for primary authentication.
3Alternate phone methods can only be used for MFA.
All of these authentication methods can be configured in the Microsoft Entra admin center, and increasingly using the Microsoft Graph REST API.
To learn more about how each authentication method works, see the following separate conceptual articles:
Password
Nota
In Microsoft Entra ID, a password is often one of the primary authentication methods. You can't disable the password authentication method. If you use a password as the primary authentication factor, increase the security of sign-in events using Microsoft Entra multifactor authentication.
These other verification methods can be used in certain scenarios:
Administrators can view user authentication methods in the Microsoft Entra admin center. Usable methods are listed first, followed by nonusable methods.
Each authentication method can become nonusable for different reasons. For example, a Temporary Access Pass may expire, or FIDO2 security key may fail attestation. The portal gets updated to provide the reason for why the method isn't usable.
Authentication methods that are no longer available due to Require re-register multifactor authentication also appear here.
To get started, see the tutorial for self-service password reset (SSPR) and Microsoft Entra multifactor authentication.
To learn more about SSPR concepts, see How Microsoft Entra self-service password reset works.
To learn more about MFA concepts, see How Microsoft Entra multifactor authentication works.
Learn more about configuring authentication methods using the Microsoft Graph REST API.
To review what authentication methods are in use, see Microsoft Entra multifactor authentication authentication method analysis with PowerShell.
Latihan
Modul
Describe the authentication capabilities of Microsoft Entra ID - Training
Describe the authentication capabilities of Microsoft Entra ID
Pensijilan
Microsoft Certified: Identity and Access Administrator Associate - Certifications
Demonstrate the features of Microsoft Entra ID to modernize identity solutions, implement hybrid solutions, and implement identity governance.
Dokumentasi
Manage authentication methods - Microsoft Entra ID
Learn about the authentication methods policy and different ways to manage authentication methods.
OATH tokens authentication method - Microsoft Entra ID
Learn about using OATH tokens in Microsoft Entra ID to help improve and secure sign-in events.
Enhance accessibility with multifactor authentication in Microsoft Entra ID - Microsoft Entra ID
Explains authentication Methods Accessibility