What authentication and verification methods are available in Azure Active Directory?

As part of the sign-in experience for accounts in Azure Active Directory (Azure AD), there are different ways that a user can authenticate themselves. A username and password is the most common way a user would historically provide credentials. With modern authentication and security features in Azure AD, that basic password should be supplemented or replaced with more secure authentication methods.

Table of the strengths and preferred authentication methods in Azure AD

Passwordless authentication methods such as Windows Hello, FIDO2 security keys, and the Microsoft Authenticator app provide the most secure sign-in events.

Azure Multi-Factor Authentication adds additional security over only using a password when a user signs in. The user can be prompted for additional forms of authentication, such as to respond to a push notification, enter a code from a software or hardware token, or respond to an SMS or phone call.

To simplify the user on-boarding experience and register for both MFA and SSPR, we recommend you enable combined security information registration. For resiliency, we recommend that you require users to register multiple authentication methods. When one method isn't available for a user during sign-in or SSPR, they can choose to authenticate with another method. For more information, see Create a resilient access control management strategy in Azure AD.

Authentication method strength and security

When you deploy features like Azure Multi-Factor Authentication in your organization, review the available authentication methods. Choose the methods that meet or exceed your requirements in terms of security, usability, and availability. Where possible, use authentication methods with the highest level of security.

The following table outlines the security considerations for the available authentication methods. Availability is an indication of the user being able to use the authentication method, not of the service availability in Azure AD:

Authentication method Security Usability Availability
Windows Hello for Business High High High
Microsoft Authenticator app High High High
FIDO2 security key (preview) High High High
OATH hardware tokens (preview) Medium Medium High
OATH software tokens Medium Medium High
SMS Medium High Medium
Voice Medium Medium Medium
Password Low High High

For more information on security, see authentication vulnerabilities and attack vectors.

Tip

For flexibility and usability, we recommend that you use the Microsoft Authenticator app. This authentication method provides the best user experience and multiple modes, such as passwordless, MFA push notifications, and OATH codes.

How each authentication method works

Some authentication methods can be used as the primary factor when you sign in to an application or device, such as using a FIDO2 security key or a password. Other authentication methods are only available as a secondary factor when you use Azure Multi-Factor Authentication or SSPR.

The following table outlines when an authentication method can be used during a sign-in event:

Method Primary authentication Secondary authentication
Windows Hello for Business Yes MFA
Microsoft Authenticator app Yes (preview) MFA and SSPR
FIDO2 security key (preview) Yes MFA
OATH hardware tokens (preview) No MFA
OATH software tokens No MFA
SMS Yes (preview) MFA and SSPR
Voice call No MFA and SSPR
Password Yes

All of these authentication methods can be configured in the Azure portal, and increasingly using the Microsoft Graph REST API beta.

To learn more about how each authentication method works, see the following separate conceptual articles:

Note

In Azure AD, a password is often one of the primary authentication methods. You can't disable the password authentication method. If you use a password as the primary authentication factor, increase the security of sign-in events using Azure Multi-Factor Authentication.

The following additional verification methods can be used in certain scenarios:

  • App passwords - used for old applications that don't support modern authentication and can be configured for per-user Azure Multi-Factor Authentication.
  • Security questions - only used for SSPR
  • Email address - only used for SSPR

Next steps

To get started, see the tutorial for self-service password reset (SSPR) and Azure Multi-Factor Authentication.

To learn more about SSPR concepts, see How Azure AD self-service password reset works.

To learn more about MFA concepts, see How Azure Multi-Factor Authentication works.

Learn more about configuring authentication methods using the Microsoft Graph REST API beta.