(Updated) Microsoft Entra: System-preferred authentication now applies to first-factor authentication
🚨 The Signal: Microsoft Entra now applies system-preferred authentication to both first and second factors for tenants in the 'Microsoft managed' state. This automatically prompts users with their most secure registered authentication method, enhancing default security posture.
The Impact
Organisations using Microsoft-managed system-preferred authentication will see users automatically prompted for stronger first-factor authentication, reducing phishing risk.
- Security Teams: Reduced risk of first-factor credential compromise due to automatic strong method enforcement.
- End Users: Will be prompted for the most secure registered method, potentially improving sign-in security without manual selection.
- Admins: Less need for manual policy enforcement to push stronger first-factor authentication methods.
- Organisations: Improved overall authentication security posture by default.
The Action
- Review current system-preferred authentication state in Microsoft Entra ID: Entra admin center > Protection > Authentication methods > Settings > System-preferred authentication.
- If 'Microsoft managed' state is desired, ensure users are registering strong authentication methods like FIDO2 security keys or Microsoft Authenticator passwordless.
- Communicate to users that their sign-in experience may prioritise stronger methods if they have multiple registered.
Domain: Entra · Impact: medium · Workload: Entra ID · Essential Eight: Multi-Factor Authentication · ISM: ISM-0109, ISM-0123, ISM-0140, ISM-0974, ISM-1173, ISM-1228, ISM-1401, ISM-1504, ISM-1505, ISM-1679, ISM-1680, ISM-1681, ISM-1682, ISM-1683, ISM-1815, ISM-1819, ISM-1872, ISM-1873, ISM-1874, ISM-1892, ISM-1893, ISM-1894, ISM-1906, ISM-1907