Microsoft Authenticator app authentication method - Azure Active Directory
Learn about using the Microsoft Authenticator app in Azure Active Directory to help improve and secure sign-in events
What authentication and verification methods are available in Azure Active Directory?
Microsoft recommends passwordless authentication methods such as Windows Hello, FIDO2 security keys, and the Microsoft Authenticator app because they provide the most secure sign-in experience. Although a user can sign-in using other common methods such as a username and password, passwords should be replaced with more secure authentication methods.
Azure AD Multi-Factor Authentication (MFA) adds additional security over only using a password when a user signs in. The user can be prompted for additional forms of authentication, such as to respond to a push notification, enter a code from a software or hardware token, or respond to an SMS or phone call.
To simplify the user on-boarding experience and register for both MFA and self-service password reset (SSPR), we recommend you enable combined security information registration. For resiliency, we recommend that you require users to register multiple authentication methods. When one method isn't available for a user during sign-in or SSPR, they can choose to authenticate with another method. For more information, see Create a resilient access control management strategy in Azure AD.
Here's a video we created to help you choose the best authentication method to keep your organization safe.
Authentication method strength and security
When you deploy features like Azure AD Multi-Factor Authentication in your organization, review the available authentication methods. Choose the methods that meet or exceed your requirements in terms of security, usability, and availability. Where possible, use authentication methods with the highest level of security.
The following table outlines the security considerations for the available authentication methods. Availability is an indication of the user being able to use the authentication method, not of the service availability in Azure AD:
| Authentication method | Security | Usability | Availability |
|---|---|---|---|
| Windows Hello for Business | High | High | High |
| Microsoft Authenticator app | High | High | High |
| FIDO2 security key | High | High | High |
| OATH hardware tokens (preview) | Medium | Medium | High |
| OATH software tokens | Medium | Medium | High |
| SMS | Medium | High | Medium |
| Voice | Medium | Medium | Medium |
| Password | Low | High | High |
For the latest information on security, check out our blog posts:
- It's time to hang up on phone transports for authentication
- Authentication vulnerabilities and attack vectors
Tip
For flexibility and usability, we recommend that you use the Microsoft Authenticator app. This authentication method provides the best user experience and multiple modes, such as passwordless, MFA push notifications, and OATH codes.
How each authentication method works
Some authentication methods can be used as the primary factor when you sign in to an application or device, such as using a FIDO2 security key or a password. Other authentication methods are only available as a secondary factor when you use Azure AD Multi-Factor Authentication or SSPR.
The following table outlines when an authentication method can be used during a sign-in event:
| Method | Primary authentication | Secondary authentication |
|---|---|---|
| Windows Hello for Business | Yes | MFA |
| Microsoft Authenticator app | Yes | MFA and SSPR |
| FIDO2 security key | Yes | MFA |
| OATH hardware tokens (preview) | No | MFA and SSPR |
| OATH software tokens | No | MFA and SSPR |
| SMS | Yes | MFA and SSPR |
| Voice call | No | MFA and SSPR |
| Password | Yes |
All of these authentication methods can be configured in the Azure portal, and increasingly using the Microsoft Graph REST API.
To learn more about how each authentication method works, see the following separate conceptual articles:
- Windows Hello for Business
- Microsoft Authenticator app
- FIDO2 security key
- OATH hardware tokens (preview)
- OATH software tokens
- SMS sign-in and verification
- Voice call verification
- Password
Note
In Azure AD, a password is often one of the primary authentication methods. You can't disable the password authentication method. If you use a password as the primary authentication factor, increase the security of sign-in events using Azure AD Multi-Factor Authentication.
The following additional verification methods can be used in certain scenarios:
- App passwords - used for old applications that don't support modern authentication and can be configured for per-user Azure AD Multi-Factor Authentication.
- Security questions - only used for SSPR
- Email address - only used for SSPR
Next steps
To get started, see the tutorial for self-service password reset (SSPR) and Azure AD Multi-Factor Authentication.
To learn more about SSPR concepts, see How Azure AD self-service password reset works.
To learn more about MFA concepts, see How Azure AD Multi-Factor Authentication works.
Learn more about configuring authentication methods using the Microsoft Graph REST API.
To review what authentication methods are in use, see Azure AD Multi-Factor Authentication authentication method analysis with PowerShell.
Recommended content
Related Articles
What is Multi-Factor Authentication?
What is Multi-factor authentication? When you sign into your online accounts - a process we call "authentication" - you're proving to the service that you are who you say you are. Traditionally that's been done with a username and a password. ...Microsoft Basic Auth deprecates on October 1, 2022
This fact sheet provides guidance on how to determine whether and to what extent your organization is using Basic Authentication (“Basic Auth”) in Exchange Online and how to switch to Modern Authentication ("Modern Auth") before Microsoft begins ...Microsoft: Change a user name and email address
You may need to change someone's email address and display name if, for example, they get married and their last name changes. Tip If you need help with the steps in this topic, consider working with a Microsoft small business specialist. With ...Cisco Umbrella DNS User Guide DNS-layer security
Product Overview Enterprise security and networking are facing a significant transformation as organization embrace SASE, a Secure Access Service Edge. Wide-scale adoption of cloud applications, an increase in remote workers, and expansion of branch ...Setting Up MFA in Microsoft
Multi Factor Authentication is an important aspect of keeping your account secure. Below is a step by step guide to setting it up for your microsoft account. Set up the Microsoft Authenticator app to send notifications On the Additional security ...