Describe the authentication capabilities of Microsoft Entra ID

OATH (Open Authentication)

an open standard that specifies how time-based, one-time password (TOTP) codes are generated. OATH TOTP can be implemented using either software or hardware to generate the codes.

Software OATH tokens

typically applications such as the Microsoft Authenticator app and other authenticator apps

OATH TOTP hardware tokens

small hardware devices that look like a key fob and display a code that refreshes every 30 or 60 seconds, providing a second factor for authentication

Temporary Access Pass (TAP)

A time-limited passcode issued by an administrator that can be used to sign in and register other authentication methods, including passwordless methods.

QR code authentication

Designed primarily for frontline workers on shared devices, QR code authentication allows users to sign in by scanning a unique QR code (which can be printed on a badge) and entering a numeric PIN, eliminating the need to type complex usernames and passwords.

Email one-time passcode (OTP)

A verification code sent to a user's email address, used as a secondary form of authentication during self-service password reset (SSPR).

Platform Credential for macOS.

A phishing-resistant credential backed by the device's Secure Enclave that enables passwordless sign-in and single sign-on (SSO) across apps on macOS devices, using Touch ID or a password to unlock the credential.

Authenticator Lite.

A capability embedded in familiar apps like Outlook mobile that allows users to complete MFA using push notifications or time-based one-time passcodes without needing the separate Microsoft Authenticator app.

External authentication methods.

Enable organizations to integrate a non-Microsoft multifactor authentication provider (such as Duo Security or RSA SecurID) with Microsoft Entra ID, so users can satisfy MFA requirements using an authentication solution the organization already has in place.

Passwordless authentication

replace passwords with something you have, combined with something you are or something you know, providing a more secure and convenient experience.

Windows Hello for Business

replaces passwords with strong two-factor authentication on devices, combining a key or certificate tied to a device with something the person knows (a PIN) or something the person is (biometrics). The gesture triggers the use of a private key to cryptographically sign data sent to the identity provider, which verifies the user's identity.

Passkeys based on the FIDO2 (Fast Identity Online) standard

phishing-resistant passwordless authentication method. Passkeys use public key cryptography, where a public-private key pair is created during registration. The private key is stored securely and the public key is registered with Microsoft Entra ID.

There are two types of passkeys

Device-bound passkeys and Synced passkeys

Synced passkeys

the private key is synced across a user's devices through a cloud passkey provider, like Apple iCloud Keychain or Google Password Manager

Device-bound passkeys

the private key is stored on a single physical device and never leaves it. Examples include FIDO2 security keys (USB, Bluetooth, or NFC devices) and passkeys in Microsoft Authenticator.

Certificate-based authentication

enables users to authenticate directly with X.509 certificates against their Microsoft Entra identity. CBA eliminates the need for federated infrastructure like Active Directory Federation Services (AD FS), providing a simplified, cloud-native approach.

Microsoft Entra multifactor authentication works by requiring two or more of the following authentication methods:

• Something you know—typically a password or PIN and

• Something you have—such as a trusted device that's not easily duplicated, like a phone or hardware key or

• Something you are—biometrics like a fingerprint or face scan.

Security defaults include:

• Requiring all users to register for Microsoft Entra multifactor authentication.

• Requiring administrators to do multifactor authentication.

• Requiring all users to complete multifactor authentication when needed.

• Blocking legacy authentication protocols.

• Protecting privileged activities like access to the Azure portal.

Conditional Access

allows administrators to define policies that require MFA based on specific conditions, such as user location, device state, risk level, or the sensitivity of the application being accessed. requires Microsoft Entra ID P1 or P2 licenses

Microsoft Entra password protection

detects and blocks known weak passwords and their variants, and can also block other weak terms that are specific to your organization.

Global banned password list

is automatically applied to all users in a Microsoft Entra tenant. The Microsoft Entra ID Protection team constantly analyzes security teletry data looking for commonly used weak or compromised passwords.

Custom banned password list

limited to 1000 terms because the password validation algorithm automatically blocks weak variants and combinations.

How passwords are evaluated

1. Normalization—the password is converted to lowercase, and common character substitutions are applied (for example, "@" to "a", "$" to "s", "1" to "l", "0" to "o"). This maps a small set of banned base terms to a much larger set of potentially weak passwords.

2. Fuzzy matching—the normalized password is compared against banned passwords using an edit distance of one. This means passwords that differ from a banned term by a single character substitution, insertion, or deletion are detected and rejected.

3. Substring matching—the system checks the normalized password for the user's first and last name and the tenant name, preventing the inclusion of easily guessable personal or organizational identifiers. Substring matching is only enforced for terms that are at least four characters long.

4. Score calculation—the system assigns one point for each banned password found in the normalized password and one point for each remaining character. A password must score at least five points to be accepted. This scoring approach means that longer, more complex passwords can be accepted even if they contain a banned term, as long as the overall password is sufficiently strong.

Password spray attacks

Rather than targeting a single account with many password attempts, the attacker submits a few of the most commonly used weak passwords against many accounts. This approach avoids triggering account lockout thresholds while rapidly searching for compromised accounts.

For organizations with hybrid identity models that include on-premises Active Directory Domain Services (AD DS), Microsoft Entra password protection can be extended to the on-premises environment. Two components are installed on on-premises servers:

• Proxy service—runs on a domain-joined machine and forwards password policy download requests from domain controllers to Microsoft Entra ID.

• DC Agent—installed on domain controllers to receive password validation requests and process them using the current password policy downloaded from Microsoft Entra ID.

AI-powered identity verification with government-issued ID

What does Microsoft Entra ID account recovery use to verify a user's identity when they've lost access to all authentication methods?

Normalization and fuzzy matching

What technique does Microsoft Entra password protection use to detect variations of banned passwords?

Self-service password reset

A company's IT organization is asked to find ways to reduce IT costs, without compromising security. Which feature should they consider implementing?

Microsoft Authenticator, SMS, Voice call, passkey (FIDO2), and Windows Hello for Business

Which of the following forms of verification can be used with Microsoft Entra multifactor authentication?

Passkeys (FIDO2)

Which of the following is classified as a phishing-resistant authentication method in Microsoft Entra ID?