Phishing-resistant MFA is now the Essential Eight bar for privileged access

🚨 The Signal: Conditional Access can require phishing-resistant MFA (FIDO2, passkeys, certificate-based) for sign-ins. ASD Essential Eight ML2 and ML3 demand phishing-resistant methods, so ordinary SMS or app-based MFA no longer meets the bar for privileged access.

The Impact

Privileged roles still protected only by SMS or app MFA fall short of Essential Eight ML2/ML3 and remain phishable.

• Entra admins: must move privileged roles to phishing-resistant authentication.
• End users: may need passkeys or FIDO2 security keys enrolled.
• Compliance: ML2/ML3 baselines (ISM-1504, ISM-1401, ISM-1679) require phishing resistance.

The Action

1. In Entra, configure the Authentication Methods policy to enable FIDO2 / passkeys and disable SMS and voice for privileged users.
2. Create a Conditional Access policy requiring authentication strength = phishing-resistant MFA for admin roles.
3. Add a second policy scoped to all users for ML3, starting in report-only.
4. Validate with a pilot group, then enforce and monitor the sign-in logs.

Domain: Entra · Impact: high · Workload: Entra ID · Essential Eight: Multi-Factor Authentication · ISM: ISM-1401, ISM-1504, ISM-1679