NIST authenticator assurance level 1 with Microsoft Entra ID
The National Institute of Standards and Technology (NIST) develops technical requirements for US federal agencies implementing identity solutions. Organizations must meet these requirements when working with federal agencies.
Before you begin authenticator assurance level 1 (AAL1), you can review the following resources:
- NIST overview: Understand AAL levels
- Authentication basics: Terminology and authentication types
- NIST authenticator types: Authenticator types
- NIST AALs: AAL components, Microsoft Entra authentication methods, and Trusted Platform Modules (TPMs).
Permitted authenticator types
To achieve AAL1, you can use any NIST single-factor or multifactor permitted authenticator.
| Microsoft Entra authentication method | NIST authenticator type |
|---|---|
| Password | Memorized Secret |
| Phone (SMS): Not recommended | Single-factor out-of-band |
| Microsoft Authenticator App (Passwordless) | Multi-factor out-of-band |
| Single-factor software certificate | Single-factor crypto software |
| Multi-factor Software Certificate (PIN Protected) Windows Hello for Business with software TPM |
Multi-factor crypto software |
| Hardware protected certificate (smartcard/security key/TPM) FIDO 2 security key Windows Hello for Business with hardware TPM |
Multi-factor crypto hardware |
Tip
We recommend you select at a minimum phishing resistant AAL2 authneticators. Select AAL3 authenticators as necessary for business reasons, industry standards, or compliance requirements.
FIPS 140 validation
Verifier requirements
Microsoft Entra ID uses the Windows FIPS 140 Level 1 cryptographic module for its authentication cryptographic operations. It's therefore a FIPS 140-compliant verifier required by government agencies.
Man-in-the-middle resistance
Communications between the claimant and Microsoft Entra ID are over an authenticated, protected channel, to resist man-in-the-middle (MitM) attacks. This configuration satisfies the MitM-resistance requirements for AAL1, AAL2, and AAL3.
Next steps
Achieve NIST AAL1 with Microsoft Entra ID
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for