Search
StarWind is a hyperconverged (HCI) vendor with focus on Enterprise ROBO, SMB & Edge
Find out how HCI cuts down virtualization costs and complexity

Define different authentication strengths for your users in Azure AD

  • February 8, 2023
  • 5 min read
Romain Serre
IT and Virtualization Consultant. Romain is specializing in Microsoft technologies such as Hyper-V, System Center, storage, networking, and MS Azure. He is a Microsoft MVP and MCSE in Server Infrastructure and Private Cloud.
IT and Virtualization Consultant. Romain is specializing in Microsoft technologies such as Hyper-V, System Center, storage, networking, and MS Azure. He is a Microsoft MVP and MCSE in Server Infrastructure and Private Cloud.


Microsoft released a new feature called authentication strengths that enables to define the authentication methods allowed for a group of users. This feature is used in conditional access to apply the policies to the right people.

In this topic we will see how to use authentication strengths in Azure AD.

Create authentication strengths

Authentication strengths comes with three built-in policies:

  • Multi-Factor authentication: all authentications that support MFA
  • Passwordless authentication: Microsoft Authenticator (phone sign-in), FIDO2 and certificate-based authentication
  • Phishing-resistant authentication: only FIDO2 and certificate-based authentication

You can also create your own custom policies. To do that, navigate in Entra (https://entra.microsoft.com) in Protect & Secure > Conditional Access > Authentication Strengths. From there, click on New authentication strength.

Conditional Access

Then provide a name and select the authentication method you want to allow. Usually, I allow FIDO2, certificate-based, Microsoft Authenticator (phone sign-in) and temporary access password (One-time use).

Provide a name and select the authentication method you want to allow

Use authentication strengths in conditional access

Now that the authentication strength is created, we can use it in conditional access. To do so, navigate into policies and create a new conditional access by clicking on new policy.

Conditional access

Provide a name to the conditional access:

Provide a name to the conditional access

In users, select the groups, roles or users on which authentication strength will be applied.

Select the groups, roles or users on which authentication strength will be applied

Usually when you create a conditional access to configure authentication, this policy is applied to all cloud apps. In this case, select all cloud apps in Cloud apps or actions. In any other cases, select the cloud apps on which the authentication strength will be applied.

Cloud apps or actions

In grant, select grant access and tick require authentication strength. Then select the authentication strength you want to apply.

Once you have enabled this conditional access, the authentication strength will be applied to users.

In grant, select grant access and tick require authentication strength

My opinion

Authentication strengths is a great addition to Azure AD. Thanks to this feature you can disable easily deprecated or vulnerable authentication methods such as SMS or phone. You can also have different authentication strengths in your company. For example, for users that manage sensitive information you can enforce FIDO2 and certificate-based authentication. For users who don’t work on sensitive information, you can allow Microsoft Authenticator.

Currently authentication strength is still in preview, so use it in test environment. Once this feature is in GA, you should use this feature especially to disable SMS and phone authentication 😊

Related materials:

Tags
Found Romain’s article helpful? Looking for a reliable, high-performance, and cost-effective shared storage solution for your production cluster?
Dmytro Malynka
Dmytro Malynka StarWind Virtual SAN Product Manager
We’ve got you covered! StarWind Virtual SAN (VSAN) is specifically designed to provide highly-available shared storage for Hyper-V, vSphere, and KVM clusters. With StarWind VSAN, simplicity is key: utilize the local disks of your hypervisor hosts and create shared HA storage for your VMs. Interested in learning more? Book a short StarWind VSAN demo now and see it in action!