A practical, production-ready guide to implementing phishing-resistant MFA in Microsoft Entra using Conditional Access, authentication strengths, and FIDO2 (YubiKey/passkeys).
- Security engineers
- Identity architects
- Microsoft 365 administrators
- Organizations implementing Zero Trust
- Why This Matters
- The Problem
- The Solution
- Deployment Guide
- Validation
- Common Mistakes
- Real-World Use Cases
- Rollout Strategy
- Next Steps
Traditional MFA methods (SMS, push notifications, OTP) are vulnerable to:
- Adversary-in-the-Middle (AiTM) phishing attacks
- MFA fatigue / push bombing
- Token theft and replay
Phishing-resistant MFA (FIDO2, Windows Hello for Business, certificate-based authentication) eliminates these risks by binding authentication to the device and origin.
Many organizations believe MFA is sufficient—but:
- Attackers can intercept MFA tokens
- Push fatigue attacks trick users into approving access
- Session hijacking bypasses MFA entirely
This leaves privileged accounts exposed even with MFA enabled.
Microsoft Entra provides authentication strengths that enforce phishing-resistant methods:
- FIDO2 (YubiKey / passkeys)
- Windows Hello for Business
- Certificate-based authentication
Combined with Conditional Access, these ensure:
- Only strong authentication methods are allowed
- Weak MFA methods are blocked
Tip
Follow this guide step-by-step. Do not skip validation steps before enabling policies.
flowchart TD
A[User attempts sign-in] --> B{Break-glass account?}
B -->|Yes| C[Excluded from all Conditional Access]
B -->|No| D[Evaluate Conditional Access assignments]
D --> E{Admin / privileged role?}
E -->|No| F[Evaluate standard user policies]
E -->|Yes| G[Evaluate privileged access policies]
G --> H{Lab policy enabled?}
H -->|Yes| I[Require MFA]
H -->|No| J[Skip to production policy]
I --> K{Authentication method used}
K -->|YubiKey| L[Allowed]
K -->|Authenticator| L
K -->|Windows Hello| L
J --> M{Production policy enabled?}
M -->|Yes| N[Require phishing-resistant MFA]
M -->|No| O[No production enforcement]
N --> P{Authentication method used}
P -->|YubiKey| Q[Allowed]
P -->|Windows Hello| Q
P -->|Authenticator| R[Blocked]
Q --> S{Defender for Cloud Apps session control applied?}
L --> S
S -->|No| T[Access granted]
S -->|Yes| U{Admin portal or privileged app?}
U -->|Yes| V[Not recommended - may disrupt FIDO2]
U -->|No| W[Apply session monitoring / app control]
V --> X[Potential login loop or failed prompt]
W --> T
O --> T
F --> T
flowchart TD
A[User Sign-In] --> B{Break-glass account?}
B -->|Yes| C[Bypass Conditional Access]
B -->|No| D[Evaluate Conditional Access Policies]
D --> E{Policy Type}
E -->|Lab Policy| F[Require MFA]
E -->|Production Policy| G[Require Phishing-Resistant MFA]
F --> H{Allowed Methods}
H -->|YubiKey| I[Access Granted]
H -->|Authenticator| I
H -->|Windows Hello| I
G --> J{Allowed Methods}
J -->|YubiKey| K[Access Granted]
J -->|Windows Hello| K
J -->|Authenticator| L[Blocked]
C --> M[Emergency Access]
This guide assumes:
- You have Global Administrator access
- A break-glass account is created and excluded from Conditional Access
- You are testing in a controlled or lab environment
- Misconfiguration may result in administrative lockout
Important
Defender for Cloud Apps session controls can interfere with phishing-resistant authentication if not configured carefully.
Microsoft Defender for Cloud Apps acts as a proxy when session controls are applied.
This means:
- Authentication traffic may be intercepted
- FIDO2 (YubiKey) flows can be impacted
If you enable Conditional Access App Control (session control), you may experience:
- YubiKey prompts failing
- Authentication loops
- Unexpected sign-in behavior
- Inconsistent MFA prompts
- Microsoft Entra admin center
- Azure portal
- Microsoft 365 admin center
👉 These are critical admin surfaces and must remain stable
-
Exclude Admin Roles from Session Control
- Global Administrator
- Privileged roles
-
Use App Control Selectively
- High-risk SaaS apps
- Non-admin scenarios
-
Test Before Enforcing
- Validate YubiKey sign-in
- Test browser + device login
-
Monitor Sign-in Behavior
- Entra sign-in logs
- Defender for Cloud Apps logs
| Symptom | Possible Cause |
|---|---|
| YubiKey prompt does not appear | Session proxy interfering |
| Infinite login loop | App control misconfiguration |
| MFA prompts inconsistent | Policy conflict |
Authentication should be strong and direct. Session control should be selective and post-authentication.
- Prerequisites
- YubiKey Enrollment
$PSVersionTable.PSVersionSet-ExecutionPolicy RemoteSigned -Scope CurrentUser
Install-Module Microsoft.Graph.Authentication -Scope CurrentUser
Install-Module Microsoft.Graph.Identity.SignIns -Scope CurrentUser
Connect-MgGraph -Scopes `
"Policy.Read.All", `
"Policy.ReadWrite.ConditionalAccess", `
"Application.Read.All", `
"Policy.ReadWrite.AuthenticationMethod"Get-MgContext.\scripts\00-install-modules.ps1
.\scripts\01-connect-graph.ps1- Lab policy allows fallback (Authenticator)
- Production policy blocks weak MFA
- YubiKey authentication succeeds
- Break-glass account bypasses policies
- YubiKey is registered
- Backup key available
- Break-glass account verified
- Logs reviewed
- Ensure Graph scopes are granted
- Verify admin role permissions
- Use supported browser (Edge/Chrome)
- Use break-glass account if locked out
| Phase | Behavior |
|---|---|
| Lab | MFA allows fallback |
| Production | Only phishing-resistant allowed |
- Start in report-only mode
- Never remove fallback too early
- Always test before enforcement
- Maintain recovery path
- Issue multiple YubiKeys
- Confirm phishing-resistant MFA is enforced
- Validate fallback is blocked
- Review sign-in logs
- Not excluding break-glass accounts
- Enabling production too early
- Misconfiguring authentication strengths
- Applying session controls to admin portals
- Securing privileged accounts
- Enforcing Zero Trust
- Protecting remote workforce
- Start with report-only mode
- Deploy to a pilot group
- Validate authentication behavior
- Expand to privileged users
- Enforce production policy
Never enforce globally without validation.
- Integrate Identity Protection
- Expand Zero Trust architecture
- Monitor with KQL and sign-in logs
This information and scripting is provided for educational, testing, and security validation purposes only.
Use of this information and scripting should be limited to:
- Authorized environments
- Lab or approved enterprise systems
The author assumes no liability or responsibility for:
- Misuse of this tool
- Damage to systems
- Unauthorized or improper use
This project is an independent work developed in a personal capacity.
The views, opinions, code, and content expressed in this repository are solely my own and do not reflect the views, policies, or positions of any current or future employer, client, or affiliated organization.
No employer, past, present, or future, has reviewed, approved, endorsed, or is in any way associated with these works.
This project was developed outside the scope of any employment and without the use of proprietary, confidential, or restricted resources.
All code/language in this repository is provided under the terms of the included MIT License.