Configure Essential Eight MFA authentication strengths
This article provides guidance on configuring the authentication strengths that users are allowed to use when authenticating at a given maturity level. The authentication strengths defined in this section are used to define the Essential Eight MFA conditional access policy.
To configure the authentication strength:
- Browse to the Microsoft Entra admin center > Microsoft Entra admin center.
- Select Protection > Authentication methods > Authentication strengths.
- Select New authentication strength.
- Configure the strengths for the required maturity level using the following table as a guide.
- Select Next > Select Create.
This table outlines the authentication strengths that are available for each maturity level.
| Category | Authentication strength | Maturity Level 1 | Maturity Levels 2 & 3 |
|---|---|---|---|
| Phishing-resistant MFA | Windows Hello For Business |  |
|
| Passkeys (FIDO2) | |
|
|
| Certificate-based Authentication (Multi-factor) | |
|
|
| Passwordless MFA | Microsoft Authenticator (Phone Sign-in) | |
 |
| Multifactor authentication | Temporary Access Pass (One-time use)1 | |
|
| Temporary Access Pass (Multi-use)1 | |
|
|
| Password + Microsoft Authenticator (Push Notification) | |
|
|
| Password + Software OATH token | |
|
|
| Password + Hardware OATH token | |
|
|
| Password + SMS | |
|
|
| Password + Voice | |
|
|
| Federated Multi factor | |
|
|
| Federated Single factor + Microsoft Authenticator (Push Notification) | |
|
|
| Federated Single factor + Software OATH token | |
|
|
| Federated Single factor + Hardware OATH token | |
|
|
| Federated Single factor + SMS | |
|
|
| Federated Single factor + Voice | |
|
|
| Single factor authentication | Certificate-based Authentication (Single factor) | |
|
| SMS | |
|
|
| Password | |
|
|
| Federated Single factor | |
|
1 Ensure that help desk staff adequately verify the identity of the user when issuing the temporary access pass.