How Hackers Bypass Entra ID MFA

Person Working Remotely in Cafe with Laptop and Phone

While Entra ID’s MFA capabilities undoubtedly prevent a wealth of attacks, ultimately, it’s not perfect. There are several potential misconfigurations and mistakes that are all too easy to make which can increase risk or leave your tools underutilised.

To assist you in getting the most from your Entra ID MFA, we’ve pulled together five common mistakes that we see in tenant security reviews, along with advice on the best practice that you can employ to avoid them going forward.

While Entra ID’s MFA capabilities undoubtedly prevent a wealth of attacks, ultimately, it’s not perfect. There are several potential misconfigurations and mistakes that are all too easy to make which can increase risk or leave your tools underutilised.

To assist you in getting the most from your Entra ID MFA, we’ve pulled together five common mistakes that we see in tenant security reviews, along with advice on the best practice that you can employ to avoid them going forward.

Common MFA Mistakes And How to Avoid Them

Mistake 1 – Misunderstanding MFA Enforcement Options

There are two methods that security teams can use to enforce MFA within Entra ID – their descriptions and terminology are similar, but the effects are different.

Within Identity Protection you’ll find a checkbox titled Require Microsoft Entra ID multifactor authentication registration (note this policy is only applicable for users with Entra P2 or an E5 licence). Selecting this option will enforce MFA by forcing new users to sign up for any method of MFA that is supported within the tenant, whether that be the Microsoft Authenticator app, or SMS or similar, while giving the user the option to snooze this requirement for 14 days.

The second method can be found within Authentication Methods, and Registration Campaign. It’s worth noting that this feature doesn’t have the same licencing requirement and refers only to the Microsoft Authenticator app specifically. Within Registration Campaign, administrators will also have the power to manage how many days a user can choose to snooze the requirement, as well as how many instances of “snoozing” they’ll be permitted. Specific users and groups can also be excluded via this approach.

While both methods of enforcing MFA are useful, it’s worth considering the level of granular control you’d like to exercise over your approach – whether SMS MFA is satisfactory, or whether the Microsoft Authenticator app might be a better fit, and whether exemptions might be necessary – and understanding the differences between the two.

Group,Of,Diverse,Businesspeople,Laughing,Together,During,A,Meeting,Around

Mistake 2 - Not Preparing for the Move to Authentication Methods

Within Authentication Methods and Policies, you’ll find the following message from Microsoft: “On September 30th, 2025, the legacy multifactor authentication (MFA) and self-service password reset (SSPR) policies will be deprecated and the settings will be managed here.”

Currently, per-user multifactor authentication is unfortunately broad in its scope, with settings applied tenant-wide. The new converged policy addresses this, granting teams greater control via users, groups, and specific authentication methods.

In our experience, not all security teams utilising Entra ID are aware of this upcoming migration and haven’t had the chance to plan for the change. Microsoft has provided a detailed guide (also available within your tenant) to walk users through their move to the new system, and your progress towards migration is tracked within Entra ID itself.

Mistake 3 – Not Enabling System Preferred MFA

Navigate to Settings within Authentication Methods in the Entra Admin Center and you should find a field titled System-preferred multifactor authentication. By default, this will be set to Microsoft managed, however we believe that for most organisations, Enabled is a preferrable approach to improve security without too much risk of business impact.

For context, previously Entra ID would remember the most recent method of MFA chosen by a user, and default to it when prompting for future requests. An unfortunate consequence of this process was the option, for users, to opt for a weaker method of MFA (say SMS) while having a more secure alternative available (like a FIDO2 passkey). By automatically re-selecting the same method, less secure methods of MFA were able to effectively become the user’s default.

With System-preferred multifactor authentication enabled however, a user’s account is reviewed by Entra ID, and the most secure registered method of MFA identified and made default, ensuring that users are actually implementing the security features you’ve provided.

Man sitting with back to camera coding

Mistake 4 – Not Utilising Authentication Strengths

Not all methods of MFA are created equal, and wherever possible, organisations should be looking to move towards phish-resistant MFA to guard against the threat of Adversary in The Middle attacks and similar. With this in mind, Authentication strengths allows administrators to target and craft specific MFA scenarios, which when coupled with a Conditional Access policy requiring a pre-determined MFA strength, can add extra depth to the security you build around your most sensitive users with elevated risk. This isn’t a feature that we see used in many tenants, but it can be a powerful way to exercise a specific and robust level of security control.

Mistake 5 – Overlooking Cross-Tenant Access Settings

Cross-tenant access settings can be found within External Identities and is home to a checkbox we often see underutilised, titled Trust multifactor authentication from Microsoft Entra tenants.

By default, as a guest user in a new tenant that requires MFA, you’ll be required to register for a new iteration of MFA within the tenant you’re joining. For users engaging with numerous B2B tenants, this process can become somewhat unwieldy. However, with this setting enabled, Entra ID will trust the MFA satisfied within the user’s home tenant, streamlining access and improving user experience.

Entra ID is an incredibly powerful security tool, but getting the most out of its capabilities requires a deep understanding that many organisations may not have the expertise in-house to provide.

Threatscape’s complimentary Microsoft Entra ID Advisory Service helps you understand the identity threats we see lodged against organisations every day, and the associated security protections available within your Microsoft 365 licence. During your no-obligation consultation with one of our Microsoft security experts, you’ll gain insight and recommendations on how Entra ID and other capabilities within Microsoft 365 help defend cloud identities against a wealth of threats.

You may also be interested in these articles:

welcome

JOIN OUR nEWSLETTER

Contact Us