Phishing resistant multifactor authentication for access to desktops, servers, and data repositories
Maturity levels 2 and 3 require phishing resistant authentication methods for access to desktops, servers. Maturity level 3 requires phishing resistant authentication methods for data repositories. The section describes the options available to meet these requirements using Microsoft Entra.
MFA for access to desktops
Windows
Windows Hello for Business can be used to enable multifactor authentication for unlocking and accessing Windows devices.
To learn more, see Windows Hello for Business Overview.
macOS
A Microsoft Entra multifactor option to unlock and access macOS isn't currently available.
Linux desktop
A Microsoft Entra multifactor option to unlock and access Linux desktops isn't currently available.
MFA for access to Windows and Linux servers
This section describes support for implementing phishing resistant methods mentioned previously for both application and virtual device sign-in scenarios.
| Target System | Integration Actions |
|---|---|
| Azure Linux virtual machine | Enable the Linux virtual machine for Microsoft Entra sign-in |
| Azure Windows virtual machine | Enable the Windows virtual machine for Microsoft Entra sign-in |
| Azure Virtual Desktop | Enable Azure virtual desktop for Microsoft Entra sign-in |
| Virtual machines hosted on-premises or in other clouds | Enable Azure Arc on the virtual machine then enable Microsoft Entra sign-in. (Currently available for Linux. Support for Windows virtual machines hosted in these environments is on our roadmap.) |
| Non-Microsoft virtual desktop solutions | Integrate non-Microsoft virtual desktop solution as an app in Microsoft Entra |
MFA for access to data repositories
Implementing multifactor authentication for access to data repositories. A nonexhaustive list of data repositories that integrate with Microsoft Entra includes:
- Azure Databricks: Enable conditional access for Azure Databricks
- Azure SQL Database: Connect to Azure SQL Database with Microsoft Entra multifactor authentication
- Azure Storage: Authorize access to blobs using Microsoft Entra ID
- Microsoft Fabric: Conditional access in Microsoft Fabric
Data repositories that don't natively integration with Microsoft Entra can be configured for access using Microsoft Entra Private Access. See section MFA for legacy applications.
Application sign-in scenarios from different clients
Authentication methods aren't uniformly supported across all operating systems browsers and native applications.
For the latest information, see Native app and browser support of FIDO2 passwordless authentication.
Multifactor authentication for legacy applications
MFA can be enabled for legacy applications that don’t support modern authentication by using Microsoft Entra’s secure hybrid access capability. The two options available for legacy applications include Microsoft Entra's native Application Proxy feature or using a partner solution from one of Microsoft Entra’s secure hybrid access partners.
For more information, see Microsoft Entra Private Access - Apply Conditional Access.