Phishing-Resistant MFA for Global Admin users : Step-by-Step Guide

1 - Introduction

With the rise of sophisticated phishing attacks, traditional Multi-Factor Authentication (MFA) methods such as SMS and OTP-based authentication are no longer sufficient. Microsoft 365 (M365) provides phishing-resistant MFA methods to enhance security and reduce the risk of credential theft.

This guide walks you through implementing phishing-resistant MFA with Global Admin accounts in M365 environment using FIDO2 Keys.

2 - Why Phishing-Resistant MFA?

Phishing-resistant MFA solutions, such as FIDO2 security keys provide stronger protection by eliminating the reliance on passwords and weak authentication mechanisms.

Benefits include:

• Protection against man-in-the-middle (MitM) attacks.
• Elimination of OTP interception risks.
• Enhanced user experience with passwordless authentication.

3 - Prerequisites :

Before implementing phishing-resistant MFA, ensure:

1. Entra ID tenant with P1/P2 licence.
2. Have Global Administrator or Authentication Policy Administrator privileges.
3. Have FIDO2-compatible security keys

4 - Configuration :

Step 1 : Enable FIDO2 Security Keys in Azure AD

By default, Passkey (FIDO2) is disabled in M365 tenant.

1. Navigate to Microsoft Entra Admin Center.
2. Go to Identity > Protection > Authentication Methods.
3. Select Policies.
4. Select PassKey (FIDO2)

1. Enable FIDO2 Security Keys for your organization.
2. Configure user targeting (All users or specific groups).
3. Save changes and enforce security key registration for users.

Step 2 : User Registration

In this section global admin user must register her security key as an authentication method.

1. Guide users to register their FIDO2 security keys via : https://aka.ms/mysecurityinfo
2. Click "Add sign in method" then select "Security Key"

• You'll be prompted for MFA authentication then you'll see this window.
• Select USB device

• Click Next

• Select Security Key then click Next

• You'll be prompted to tuch the fingerprint in the USB Yubico Key to link the key with your M365 account.

• Give new name to the new authentication method

• As you can see new authentication method is successfully added

Step 3 : Enforce Phishing-Resistant MFA via Conditional Access

In this section we'll create Conditional Access Policy to enforce using Security Key to authenticate Global Administrator users to M365 apps.

1. Navigate to Microsoft Entra Admin Center.
2. Go to Protection > Conditional Access > Policies.
3. Select "+ New Policy".

1. Assign to specific users or groups (in my case I'll assign Global Administrator role).
2. Apply to All cloud apps.
3. Under Access Controls, select Require authentication strength.
4. Choose Phishing-resistant MFA (FIDO2 Security Keys or CBA) then select "Require all selected controls".
5. Before saving you can select Report only mode to test your Policy and to avoid to be blocked.
6. Save the policy.

This Policy can be applied with following roles :

• Global Administrator
• Security Administrator
• SharePoint Administrator
• Exchange Administrator
• Conditional Access Administrator
• Helpdesk Administrator
• Billing Administrator
• User Administrator
• Authentication Administrator
• Application Administrator
• Cloud Application Administrator
• Password Administrator
• Privileged Authentication Administrator
• Privileged Role Administrator

Very important : Global Admins users should be excluded from all others Conditional Access Policies to garantee that our CA policy will be applied without any dependancy.

4 - Conclusion

By implementing phishing-resistant MFA, organizations can significantly reduce the risk of credential theft and phishing attacks in M365 environments. Utilizing FIDO2 security keys ensures a secure, user-friendly authentication experience while maintaining compliance with modern security standards.

Thanks

Aymen EL JAZIRI

System Administrator