This chapter covers Multi-Factor Authentication (MFA) and Passwordless Authentication in Microsoft Entra ID (formerly Azure AD), a critical topic for the AZ-104 exam. These technologies are central to identity security and are tested in Domain 1.1 (Manage identities in Microsoft Entra ID). Expect approximately 10-15% of exam questions to touch on MFA configuration, Conditional Access policies, and passwordless methods. You will learn the mechanics of each authentication method, how to configure and enforce them, and common exam traps.
Jump to a section
Think of a high-security apartment building. The main entrance has a doorman who checks IDs (password). But passwords can be stolen or guessed. So the building adds a second factor: a key fob that generates a unique code every 30 seconds (time-based one-time password). Even if someone steals your ID, they cannot enter without the current fob code. Now, the building also implements passwordless authentication: instead of showing an ID and entering a code, you simply tap your smartphone (using Bluetooth or NFC) on a reader at the door. The phone proves your identity using a cryptographic key stored in its secure enclave (like a hardware security module). The doorman's system verifies the signature against a trusted public key stored in the building's directory (Azure AD). This is more secure because the private key never leaves your phone, and there is no password to phish. The building also uses biometrics: your fingerprint or face unlocks the phone, but that is just local verification—the actual authentication to the building is the cryptographic key. This mirrors how Microsoft Entra ID uses FIDO2 security keys, Windows Hello for Business, or the Microsoft Authenticator app to enable passwordless sign-in. The doorman (Entra ID) trusts the key presented by the device, not a shared secret.
What is MFA and Why It Exists
Multi-Factor Authentication (MFA) requires two or more of the following: something you know (password), something you have (phone, hardware key), or something you are (biometric). It mitigates credential theft because an attacker must compromise multiple factors. In Entra ID, MFA is enforced via Conditional Access policies or security defaults. The exam focuses on how to enable and manage MFA for users, including per-user MFA (legacy) and Conditional Access-based MFA (recommended).
How MFA Works Internally
When a user signs in with a password, Entra ID checks if MFA is required. If yes, the authentication flow pauses, and the user must present a second factor. The available methods are:
Microsoft Authenticator app (push notification or OTP)
SMS or voice call
OATH hardware tokens (TOTP)
FIDO2 security keys
Windows Hello for Business
Certificate-based authentication
The flow for Authenticator push: Entra ID sends a notification to the Authenticator app on the registered device. The app uses Azure Notification Hubs to deliver the push. The user approves the sign-in request, which includes a number matching challenge (the user sees a number on screen and enters it in the app) to prevent accidental approvals. The app signs the approval with a private key and sends it to Entra ID. Entra ID verifies the signature and completes authentication.
Key Components and Defaults
Per-user MFA: Legacy setting where each user is enabled individually. Not recommended. Default: disabled.
Conditional Access MFA: Policy-based. You can require MFA for specific apps, locations, or risk levels. Default: no policy.
Security defaults: Enables MFA for all users automatically. Default: enabled for new tenants (if not disabled).
MFA registration: Users must register methods before MFA works. Default registration period: 14 days grace after first required MFA.
Number matching: For Authenticator push, requires user to enter a number displayed on the login screen. Enabled by default since May 2023.
App passwords: Legacy feature for apps that don't support modern auth. Disabled by default.
Passwordless authentication removes the password entirely. Methods include: - Windows Hello for Business: Uses biometrics or PIN tied to the device's TPM. The private key never leaves the device. - FIDO2 Security Keys: USB, NFC, or Bluetooth keys that generate a key pair. The private key is stored on the key. - Microsoft Authenticator app: The app itself becomes the primary factor. The user signs in by verifying a number and using biometrics on the phone. - Phone sign-in (SMS): Not truly passwordless but often grouped; sends a code via SMS.
How Passwordless Works Internally
For FIDO2: The user inserts the key and enters a PIN (local verification). The key signs a challenge from Entra ID using its private key. Entra ID validates the signature using the public key stored in the user's directory object. This is asymmetric cryptography: the private key never leaves the key, preventing phishing.
For Authenticator passwordless: The user enters their username, then opens the Authenticator app. The app shows a number matching challenge. The user enters that number in the app and uses biometrics to approve. The app signs the response with a key provisioned during registration.
Configuration and Verification Commands
To manage MFA via PowerShell:
# Get per-user MFA status
Get-MsolUser -All | Select-Object UserPrincipalName, StrongAuthenticationMethods, StrongAuthenticationRequirements
# Enable MFA for a user (per-user)
$auth = New-Object -TypeName Microsoft.Online.Administration.StrongAuthenticationRequirement
$auth.RelyingParty = "*"
$auth.State = "Enabled"
Set-MsolUser -UserPrincipalName user@domain.com -StrongAuthenticationRequirements $authTo manage via Graph API:
GET https://graph.microsoft.com/v1.0/users/{id}/authentication/methodsTo create a Conditional Access policy requiring MFA:
Connect-MgGraph -Scopes "Policy.ReadWrite.ConditionalAccess"
$params = @{
displayName = "Require MFA for all users"
state = "enabled"
conditions = @{
userRiskLevels = @()
signInRiskLevels = @()
clientAppTypes = @("all")
platforms = @{
includePlatforms = @("all")
excludePlatforms = @()
}
locations = @{
includeLocations = @("All")
excludeLocations = @()
}
users = @{
includeUsers = @("All")
excludeUsers = @()
}
applications = @{
includeApplications = @("All")
excludeApplications = @()
}
}
grantControls = @{
builtInControls = @("mfa")
operator = "OR"
}
}
New-MgIdentityConditionalAccessPolicy -BodyParameter $paramsInteraction with Related Technologies
MFA integrates with Conditional Access (the primary enforcement mechanism), Identity Protection (risk-based MFA), and Entra ID P1/P2 licensing (P2 includes risk-based policies). Azure AD Join and Hybrid Azure AD Join determine device state, which can be used as a condition in policies. Passwordless methods require devices to be registered in Entra ID.
Exam-Relevant Details
MFA methods supported: Authenticator (push and OTP), SMS, voice call, OATH token, FIDO2, Windows Hello, certificate.
Per-user MFA states: Disabled, Enabled (user must register but not enforced), Enforced (user must use MFA at every sign-in).
Security defaults: Enables MFA for all users, blocks legacy auth, and requires registration within 14 days.
Passwordless registration: Users must register at https://aka.ms/mfasetup. For FIDO2, admins must enable the method in the tenant.
License requirements: Per-user MFA and security defaults work with free tier. Conditional Access MFA requires P1. Risk-based policies require P2.
Legacy auth: MFA does not work with legacy authentication protocols (POP, IMAP, SMTP). You must block legacy auth via Conditional Access or security defaults.
Common Exam Scenarios
User reports not receiving MFA prompts: Check if the user has registered methods, if the policy applies, and if legacy auth is used.
Enabling passwordless: The admin must enable the method in Entra ID > Security > Authentication methods > Passwordless. Then users register.
FIDO2 key not working: Ensure the key is compatible, the user's device is Azure AD joined or registered, and the browser supports WebAuthn.
Step-by-Step: Deploying MFA via Conditional Access
Plan: Determine which users, apps, and conditions require MFA. Use groups for pilot.
Create policy: In Entra ID > Security > Conditional Access > New policy. Name it, assign users (include all, exclude break-glass accounts), assign cloud apps (include all or specific), configure conditions (locations, device state, etc.).
Set grant controls: Require multi-factor authentication. Optionally require compliant device.
Enable policy: Start with "Report-only" mode to test, then switch to "On".
Monitor: Use Sign-in logs and the Conditional Access insights workbook.
Troubleshooting
MFA prompt appears unexpectedly: Check if the session token expired (default 90 days for persistent browser, 24 hours for non-persistent). Check if the policy requires MFA on risky sign-ins.
User cannot register: Ensure the user is not blocked by a Conditional Access policy that requires MFA before registration. Use a trusted location exception.
Authenticator not receiving notifications: Check firewall rules, notification channel (APNs for iOS, FCM for Android). The device must be online.
Summary of Key Numbers
Session token lifetime: 90 days for persistent browser, 24 hours for non-persistent (can be configured).
Remember MFA: Users can mark a device as trusted for up to 60 days (default) or 365 days (configurable).
Security defaults registration grace: 14 days.
Number matching: Enabled by default since May 2023.
App passwords: Deprecated but still available for legacy apps (up to 40 per user).
Enable MFA methods in tenant
Navigate to Entra ID > Security > Authentication methods > Policies. For each method (Microsoft Authenticator, SMS, etc.), click on it and set Enable to Yes. For Authenticator, choose target users (e.g., All users) and configure mode (Any, Passwordless, or Push). For FIDO2, also set the target users and key restrictions. This step makes the methods available for users to register. Without enabling, users cannot add the method even if a policy requires MFA.
Configure Conditional Access policy
Go to Entra ID > Security > Conditional Access > New policy. Provide a name. Under Assignments, select Users and groups: include All users or a specific group, exclude at least one break-glass admin account. Under Cloud apps or actions: select All cloud apps or specific apps. Under Conditions: optionally configure sign-in risk (requires P2), device platforms, locations, client apps. Under Grant: select Require multi-factor authentication. Set Enable policy to Report-only initially. The policy will evaluate but not block. After testing, switch to On.
User registers MFA methods
Users must register at https://aka.ms/mfasetup. They sign in with their password, then are prompted to add a method. They choose from the enabled methods (e.g., Microsoft Authenticator). The app scans a QR code to provision the account. This creates a key pair: private key stored in the app's secure storage, public key sent to Entra ID. For SMS, they enter a phone number and receive a verification code. Registration must complete within the grace period (14 days with security defaults, or immediate if policy enforced).
User signs in with MFA
User navigates to a cloud app. Entra ID authenticates the password first. If the Conditional Access policy requires MFA, Entra ID checks the user's authentication strength. It sends a challenge to the registered method. For Authenticator push: Entra ID sends a notification via Azure Notification Hubs. The app displays a number matching challenge (e.g., 42). The user enters that number in the app and approves using biometric or PIN. The app signs the approval with its private key and sends it back. Entra ID verifies the signature using the stored public key. If valid, it issues tokens.
Monitor and troubleshoot MFA
Use Entra ID > Monitoring > Sign-in logs. Filter by Conditional Access status (Success, Failure, Not applied). Check the Authentication Details tab to see which MFA method was used. For failures, look at the error code. Common errors: 53000 (device not compliant), 53003 (policy blocked), 50076 (MFA required but not registered). Also check the Conditional Access Insights workbook for policy impact. For passwordless issues, verify the device is registered and the method is enabled in authentication methods policy.
Enterprise Scenario 1: Global Organization with Remote Workers A multinational company with 10,000 employees deploys MFA via Conditional Access. They require MFA for all users accessing cloud apps outside the corporate network. They use Microsoft Authenticator with number matching. They exclude a few break-glass accounts (emergency admin accounts) from the policy. They also require compliant device (Intune managed) for access to sensitive apps. The policy is deployed in report-only for two weeks, then enabled. They see a 99% reduction in account compromise incidents. Common issues: users in regions with poor internet get delays in push notifications; they switch to OTP (time-based one-time password) in the Authenticator app, which works offline. The admin also configures a 60-day remember MFA setting to reduce prompts on trusted devices.
Scenario 2: Passwordless Deployment for Executives A financial services firm wants to eliminate passwords for C-level executives due to targeted phishing. They enable passwordless authentication using FIDO2 security keys. They purchase YubiKeys and distribute them. Admins enable the FIDO2 method in Entra ID and target the execs group. Each exec registers their key by inserting it into a USB port and following the setup wizard. They also register a PIN on the key (local verification). The execs now sign in by inserting the key and entering the PIN. The firm also sets a Conditional Access policy requiring passwordless authentication (authentication strength) for these users. Challenges: some execs lose keys, so the firm provisions a second key as backup. They also ensure all browsers support WebAuthn (Chrome, Edge, Firefox).
Scenario 3: Healthcare Organization with Legacy Apps A hospital uses an old EHR that only supports legacy authentication (POP/IMAP). They cannot use MFA directly. They deploy an app proxy solution (Azure AD Application Proxy) to modernize access. The proxy translates modern auth to legacy. They then enforce MFA via Conditional Access on the proxy app. Users access the EHR through a web portal, which requires MFA. This allows the hospital to secure the legacy app without upgrading it. The admin also blocks legacy authentication protocols via a Conditional Access policy (client apps condition) to prevent bypasses. They monitor sign-in logs for any legacy auth attempts and alert on them.
AZ-104 Exam Focus on MFA and Passwordless The exam tests under objective 1.1 "Manage identities in Microsoft Entra ID" and sub-objectives like "Configure and manage MFA" and "Implement passwordless authentication." Specific skills measured: enabling MFA methods, configuring per-user MFA vs. Conditional Access, managing registration, and deploying passwordless methods.
Common Wrong Answers and Traps 1. Per-user MFA vs. Conditional Access: The exam often presents a scenario where a user needs MFA only for external access. Many candidates choose per-user MFA (legacy) because it's simpler. The correct answer is Conditional Access because it allows granular control. Per-user MFA is outdated and forces MFA on all sign-ins. 2. App passwords: A question might ask how to enable MFA for an app that doesn't support modern auth. Candidates may answer "app passwords" but app passwords are deprecated and only work with per-user MFA, not Conditional Access. The correct answer is to use Azure AD Application Proxy or block legacy auth and use modern equivalents. 3. Passwordless method order: The exam might ask which method is most phishing-resistant. FIDO2 is the most secure because it uses hardware-bound keys. Authenticator passwordless is also strong but relies on the phone's security. SMS is not passwordless and is vulnerable to SIM swapping.
Specific Numbers and Values - Remember MFA duration: default 60 days, max 365 days. - Security defaults registration grace: 14 days. - Number matching: enabled by default since May 2023. - Maximum app passwords per user: 40. - FIDO2 key restrictions: AAGUID or vendor-specific.
Edge Cases - Guest users: MFA policies can apply to B2B collaboration users. The guest's home tenant handles MFA if configured. - Service accounts: Should be excluded from MFA policies. Use managed identities instead. - Emergency access: Always exclude break-glass accounts from MFA policies.
How to Eliminate Wrong Answers - If the question mentions "all users" and "every sign-in," per-user MFA or security defaults might be acceptable, but Conditional Access is still preferred. - If the question involves legacy auth, look for options that block legacy auth or use app proxy. - If the question asks for "passwordless," eliminate SMS and voice call options.
MFA in Entra ID should be enforced via Conditional Access policies, not per-user settings.
Security defaults automatically enable MFA for all users but cannot be customized; they are suitable for small tenants.
Passwordless methods (FIDO2, Windows Hello, Authenticator) are phishing-resistant and recommended over passwords.
Number matching in Authenticator app is enabled by default and prevents accidental approvals.
Remember MFA on trusted devices defaults to 60 days; can be extended to 365 days via Conditional Access session controls.
Legacy authentication protocols block MFA; use Conditional Access to block legacy auth.
Break-glass accounts must be excluded from MFA policies to avoid lockout.
FIDO2 security keys require the device to be Azure AD joined or registered and support WebAuthn.
These come up on the exam all the time. Here's how to tell them apart.
Per-user MFA
Legacy method enabled per user in user properties
Forces MFA on every sign-in for enabled users
No granular control (all apps, all locations)
Supports app passwords for legacy apps
Free with any Entra ID license
Conditional Access MFA
Policy-based, assignable to users, groups, apps, locations
Can exclude specific conditions (e.g., trusted locations)
Integrates with Identity Protection for risk-based MFA
Does not support app passwords (modern auth required)
Requires Entra ID P1 or P2 license
Mistake
MFA and two-step verification are the same thing.
Correct
MFA requires two or more distinct factors (knowledge, possession, inherence). Two-step verification often uses the same factor twice (e.g., password and email code, both knowledge-based). Entra ID MFA always uses different factors.
Mistake
Per-user MFA is the recommended way to enable MFA.
Correct
Per-user MFA is legacy and not recommended. Microsoft recommends using Conditional Access policies because they provide granular control and integrate with other features like risk detection.
Mistake
App passwords are still a valid MFA method for modern apps.
Correct
App passwords are deprecated and only work with per-user MFA. They are not compatible with Conditional Access. Modern apps should use OAuth 2.0 with device flow or other modern authentication.
Mistake
Passwordless authentication means no password is used at all, so it is less secure.
Correct
Passwordless methods like FIDO2 and Windows Hello are more secure than passwords because they use asymmetric cryptography and are resistant to phishing. The private key never leaves the device.
Mistake
SMS-based verification is a secure MFA method.
Correct
SMS is vulnerable to SIM swapping and interception. Microsoft recommends using Authenticator app or FIDO2 instead. SMS is considered a weaker factor.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
The simplest method is to enable Security Defaults (Entra ID > Properties > Manage Security defaults). This automatically requires MFA for all users and blocks legacy auth. For more control, create a Conditional Access policy targeting All users with Grant control 'Require multi-factor authentication'. Ensure users register methods at https://aka.ms/mfasetup. Note that Security Defaults cannot be used alongside Conditional Access policies; you must choose one.
Check that the user has registered the Microsoft Authenticator app and that push notifications are enabled in the method policy. Ensure the user's device is online and has internet access. Firewalls may block Azure Notification Hubs (check endpoints: *.notify.windows.com for Windows, *.push.apple.com for iOS, *.googleapis.com for Android). Also verify that number matching is enabled (it is by default) and that the user sees the number on the login screen. If the issue persists, have the user try using the OTP code from the app instead.
Yes, but not directly. You need to use Azure AD Application Proxy to publish the legacy app, which handles modern authentication. Then enforce MFA via Conditional Access on the proxy app. Alternatively, if using per-user MFA, you can generate app passwords, but this is deprecated and not recommended. The best practice is to upgrade the app to support modern auth or use a secure hybrid access partner solution.
MFA requires two or more factors, typically including a password. Passwordless authentication replaces the password entirely with a factor like a biometric or hardware key. Passwordless methods are inherently MFA because they require something you have (device) and something you are (biometric) or know (PIN). In Entra ID, passwordless methods like FIDO2 and Windows Hello satisfy MFA requirements.
First, enable the FIDO2 method in Entra ID > Security > Authentication methods > Passwordless (FIDO2). Target a group of users. Then users register their key at https://aka.ms/mfasetup by inserting the key and following the prompts. The key generates a key pair; the public key is stored in Entra ID. Users can then sign in by inserting the key, entering a PIN (set on the key), and using WebAuthn. Ensure the device is Azure AD joined or registered, and the browser supports WebAuthn (Edge, Chrome, Firefox).
You should register multiple keys as backup. If you lose all keys, you need to contact your IT admin to reset your authentication methods. The admin can remove the lost keys from your user object via Entra ID > Users > Authentication methods. You can then register a new key or use another method. Always have at least one alternative method (like Authenticator app) registered.
Yes, using Conditional Access with Identity Protection. You need Entra ID P2 license. Create a Conditional Access policy with conditions > Sign-in risk set to High and/or Medium. Then under Grant, require MFA. This way, MFA is only triggered when the sign-in risk is elevated, reducing friction for low-risk sign-ins.
You've just covered MFA and Passwordless Authentication in Entra — now see how well it sticks with free AZ-104 practice questions. Full explanations included, no account needed.
Done with this chapter?