Configure Essential Eight MFA authentication methods
The authentication methods policy defines the options that are made available to a user when they visit the My Security Info page to set up their preferred MFA methods.
Note
The following configuration guidance assumes the Microsoft Entra tenant has been migrated from the legacy MFA/SSPR policy settings to the unified authentication methods policy. Use the guide How to migrate to the Authentication methods policy to complete the migration.
For maturity level 1, Microsoft recommends enabling Passwordless and utilizing features such as Registration campaign to enable users for strong authentication methods.
Use the following steps to configure the authentication methods for a given maturity level.
- Browser to the Microsoft Entra admin center > Microsoft Entra admin center.
- Select Protection > Authentication methods > Policies.
- Configure the authentication methods for the required maturity level using the following table as a guide.
This table outlines the authentication methods that are available for each maturity level.
| Authentication method | Maturity level 1 | Maturity levels 2 & 3 |
|---|---|---|
| Certificate-based authentication (Multi factor) |  |
|
| FIDO2 security key | |
|
| Temporary Access Pass (TAP)1 | |
|
| Microsoft Authenticator | |
 |
| Hardware OATH tokens | |
|
| Third-party software OATH tokens | |
|
| SMS | |
|
| Voice call | |
|
| Certificate-based authentication (Single factor) | |
|
| Email OTP | |
|
Important
- TAP is not a phishing resistant authentication method, however it is required to bootstrap a user's access to set up a permitted authentication method.
- Common scenarios for TAP usage include: New starters who have not set up any authentication methods. A user that has lost access to all authentication methods.
- Ensure that help desk staff adequately verify the identity of the user when issuing the Temporary Access Pass.