Conditional Access – Strong Authentication (Preview)

What is Conditional Access Strong Authentication?

Microsoft has recently added a new feature named Authentication Strength inside Conditional Access. It’s currently in preview.

The main function of this new feature is to customize options for requiring different authentication methods when users log in.

There are three pre-created methods:

  • Multi-factor authentication
  • Password-less multi-factor authentication
  • Phishing-resistant multi-factor authentication

These methods have different settings. For example, multi-factor authentication requires Microsoft Authenticator with push notifications for approving access to apps. Meanwhile, phishing-resistant multi-factor authentication requires a FIDO2 key or certificate-based authentication to access apps.

If none of the above methods works for your organization, the administrators can create custom ones.

How to enable?

There are two different options:

  • Require multifactor authentication, which is the standard/old option.
  • Require authentication strength, which is the new option (both options cannot be used together).

Below, there are three different options which we mentioned above. Plus, the Windows Hello for Business option, which is a custom one.


How to add custom authentication strength methods?

Inside authentication methods, there is an option to create a new authentication strength.


There are different options which can be combined together to satisfy requirements.

Good to know:

An organization must ensure to enable authentication function. For example, if FIDO2 authentication is required in authentication method, an organization must enable that function in their tenant; otherwise, won’t work.


Microsoft documentation: Azure AD Multi-Factor Authentication overview – Microsoft Entra | Microsoft Learn

More about conditional access: Conditional Access MFA – Trusted Locations (

Leave a Reply