Free tool · 5 minutes · Microsoft Entra ID
Score your Microsoft Entra ID authentication posture against the journey from SMS or voice MFA to phishing-resistant methods (FIDO2, Windows Hello for Business). Aligned to ASD's Information Security Manual.
8 questions · 4 domains
Score your Microsoft Entra ID authentication posture against the journey from SMS or voice MFA to phishing-resistant methods. Pick the option closest to your tenant today.
Domain 1
What MFA methods standard users are registered for, and which methods are still permitted at sign-in.
What MFA methods are standard users currently using?
Source: Microsoft Learn: Authentication methods policy; ASD ISM (phishing-resistant authentication).
Is SMS or voice MFA being removed for standard users?
Source: Microsoft Learn: Authentication methods migration; NIST SP 800-63B.
Domain 2
Whether admin sign-ins require phishing-resistant authentication and how privileged role activation is gated.
What MFA methods are admin accounts using?
Source: Microsoft Learn: Authentication strengths and Conditional Access; ASD ISM (privileged user activities).
Is admin role activation gated through Privileged Identity Management (PIM)?
Source: Microsoft Learn: Privileged Identity Management deployment.
Domain 3
How MFA applies to B2B guest users, external collaborators, and federated identities.
Are guest users (B2B) required to use MFA when accessing the tenant?
Source: Microsoft Learn: External identities and Conditional Access; Cross-tenant access settings.
Domain 4
Authentication strengths configuration, monitoring of MFA bypass and registration, and ongoing review.
Are Microsoft authentication strengths configured in Conditional Access?
Source: Microsoft Learn: Authentication strengths overview.
Is MFA registration and bypass activity monitored?
Source: Microsoft Learn: Identity Protection signals; Microsoft Sentinel.
How is MFA registration enforced for new users?
Source: Microsoft Learn: Combined security information registration.
Indicative self-assessment only. For verified results Frontrow Technology runs an in-tenant authentication audit against the customer's Entra ID configuration.
What the check covers
Domain 1
Microsoft's authentication strengths guidance and ASD's ISM both recognise that SMS and voice MFA are phishable. The migration path is to disable SMS and voice as primary methods and move standard users to Microsoft Authenticator with number-matching at minimum, or Windows Hello for Business and FIDO2 where possible.
Domain 2
ASD's ISM and Microsoft's Privileged Identity Management guidance both require phishing-resistant authentication for privileged accounts. SMS or voice MFA on a Global Administrator account is the single most common authentication gap Frontrow sees in Australian mid-market audits.
Domain 3
Guest users frequently bypass MFA in misconfigured tenants because the policy that requires MFA was scoped to internal users only. Federation introduces another path where MFA enforcement can be bypassed if the inbound trust does not require strong authentication. Both need explicit policy coverage.
Domain 4
Microsoft authentication strengths in Conditional Access let an organisation require specific MFA methods (e.g. phishing-resistant only). Monitoring of MFA registration, MFA fatigue attacks, and policy changes closes the loop. Without governance the posture drifts as new users and apps are added.
Frequently asked questions
Phishing-resistant authentication is MFA that cannot be defeated by a phishing site that proxies the authentication flow (an adversary-in-the-middle attack). Phishing-resistant methods include FIDO2 security keys, Windows Hello for Business, and certificate-based authentication. SMS, voice, push notification, and one-time passcode methods are all phishable in modern adversary-in-the-middle frameworks like Evilginx, Modlishka and Tycoon.
ASD's Information Security Manual and Essential Eight Maturity Model both moved toward phishing-resistant authentication for privileged accounts and high-value systems. The driver is the rise of adversary-in-the-middle phishing kits that capture session tokens after a successful MFA prompt. Phishing-resistant methods bind authentication to the device or origin and defeat that attack class.
No. Microsoft Authenticator with number-matching defeats MFA fatigue attacks where an attacker prompts the user repeatedly until they accept. It does not defeat adversary-in-the-middle phishing where the attacker captures the session token after a successful prompt. Number-matching is a meaningful improvement over plain push but it is not phishing-resistant.
Both are phishing-resistant. Windows Hello for Business uses the device TPM and biometric or PIN, deployed across managed Windows devices via Intune. FIDO2 keys (YubiKey, Feitian, Microsoft) are physical hardware that suit users without managed devices, shared workstations, or scenarios where the user needs portability. Most Frontrow deployments combine both: Windows Hello for Business on the standard device fleet, FIDO2 for admins and exceptions.
Yes, and Microsoft has provided the tooling. The Entra ID authentication methods policy lets an organisation disable SMS and voice for new registrations first, then phase them out for existing users with a defined cutover. Frontrow's pattern is to identify users currently relying on SMS, enrol them in a stronger method, then disable SMS tenant-wide with documented break-glass exceptions.
Some service accounts and legacy integrations rely on basic authentication or weak MFA. The migration to phishing-resistant requires identifying these accounts, moving them to managed identities or workload identities where possible, and adding compensating controls (Conditional Access, isolation, monitoring) where the migration is not yet possible. Frontrow's verified review documents the inventory and the migration plan.
Every scoring threshold cites a primary source: Microsoft Learn for authentication strengths, FIDO2 and Windows Hello for Business; ASD Information Security Manual for the Australian baseline; NIST SP 800-63B for authenticator assurance levels. Methodology authored by Daniel Brown (5x Microsoft MVP), Graeme Lodge (Managing Director), and Sam Williams (Investor & Executive Consultant).
A direct review of Entra ID authentication methods, Conditional Access policies and authentication strengths via Microsoft Graph (rather than self-reported answers), gap report against ASD ISM and Microsoft baseline, and a phased migration plan to phishing-resistant authentication. Indicative pricing on request.
