Skip to main content
Authentication strength policies allow you to require specific authentication methods, providing more granular control than traditional MFA requirements.

Resources

Authentication Strength Policy

Resource: microsoft365_graph_beta_identity_and_access_authentication_strength_policy

Authentication Context

Resource: microsoft365_graph_beta_identity_and_access_authentication_context

Authentication Strength Policy

resource "microsoft365_graph_beta_identity_and_access_authentication_strength_policy" "phishing_resistant" {
  display_name = "Phishing-Resistant MFA"
  description  = "Require phishing-resistant authentication methods"
  
  allowed_combinations = [
    "windowsHelloForBusiness",
    "fido2",
    "x509CertificateMultiFactor"
  ]
}

Available Authentication Methods

MethodCombination StringPhishing-Resistant
Windows Hello for BusinesswindowsHelloForBusinessYes
FIDO2 Security Keyfido2Yes
Certificate-based (Multi-factor)x509CertificateMultiFactorYes
Microsoft Authenticator (Push)microsoftAuthenticatorPushNo
SMSsmsNo
VoicevoiceNo
Software OATHsoftwareOathNo
Hardware OATHhardwareOathNo
PasswordpasswordNo
Temporary Access PasstemporaryAccessPassOneTimeNo
Federated Multi-FactorfederatedMultiFactorNo

Built-in Authentication Strengths

Microsoft provides built-in authentication strength policies:
IDNameMethods
00000000-0000-0000-0000-000000000002Multi-factor authenticationAll MFA methods
00000000-0000-0000-0000-000000000003Passwordless MFAPasswordless methods only
00000000-0000-0000-0000-000000000004Phishing-resistant MFAFIDO2, WHfB, Certificate

Example Policies

resource "microsoft365_graph_beta_identity_and_access_authentication_strength_policy" "phishing_resistant" {
  display_name = "Phishing-Resistant Authentication"
  description  = "Only allow phishing-resistant methods"
  
  allowed_combinations = [
    "windowsHelloForBusiness",
    "fido2",
    "x509CertificateMultiFactor"
  ]
}

Method Combinations

You can require multiple methods: 
allowed_combinations = [
  "password,hardwareOath",           # Password + Hardware OATH token
  "password,microsoftAuthenticatorPush",  # Password + Authenticator push
  "password,sms",                    # Password + SMS code
  "password,softwareOath"            # Password + Software OATH token
]

FIDO2 Configuration

Restrict to specific FIDO2 keys: 
resource "microsoft365_graph_beta_identity_and_access_authentication_strength_policy" "fido2_restricted" {
  display_name = "FIDO2 with Approved Keys"
  
  allowed_combinations = [
    "fido2"
  ]
  
  combination_configurations = [
    {
      applies_to_combinations = "fido2"
      allowed_aaguids = [
        "90a3ccdf-635c-4729-a248-9b709135078f",  # YubiKey 5
        "de1e552d-db1d-4423-a619-566b625cdc84"   # Specific FIDO2 key
      ]
    }
  ]
}

Certificate-Based Authentication

Configure certificate requirements: 
resource "microsoft365_graph_beta_identity_and_access_authentication_strength_policy" "certificate_auth" {
  display_name = "Certificate-Based Authentication"
  
  allowed_combinations = [
    "x509CertificateMultiFactor"
  ]
  
  combination_configurations = [
    {
      applies_to_combinations = "x509CertificateMultiFactor"
      allowed_issuer_skis     = [
        "1A2B3C4D5E6F7A8B9C0D1E2F3A4B5C6D7E8F9A0A"
      ]
      allowed_policy_oids     = [
        "1.3.6.1.4.1.311.21.8.1.5"
      ]
    }
  ]
}

Use in Conditional Access

resource "microsoft365_graph_beta_identity_and_access_conditional_access_policy" "require_strong_auth" {
  display_name = "Require Strong Authentication"
  state        = "enabled"
  
  conditions = {
    users = {
      include_users = ["All"]
    }
    applications = {
      include_applications = ["All"]
    }
  }
  
  grant_controls = {
    operator = "OR"
    authentication_strength = {
      id = microsoft365_graph_beta_identity_and_access_authentication_strength_policy.phishing_resistant.id
    }
  }
}

Authentication Context

Define step-up authentication requirements: 
resource "microsoft365_graph_beta_identity_and_access_authentication_context" "sensitive_data" {
  display_name = "Access Sensitive Data"
  description  = "Requires phishing-resistant authentication"
  is_available = true
}

# Use in conditional access
resource "microsoft365_graph_beta_identity_and_access_conditional_access_policy" "sensitive_data_policy" {
  display_name = "Sensitive Data Access Policy"
  state        = "enabled"
  
  conditions = {
    users = {
      include_users = ["All"]
    }
    applications = {
      include_authentication_context_class_references = [
        microsoft365_graph_beta_identity_and_access_authentication_context.sensitive_data.id
      ]
    }
  }
  
  grant_controls = {
    operator = "OR"
    authentication_strength = {
      id = "00000000-0000-0000-0000-000000000004"  # Phishing-resistant
    }
  }
}

Import Syntax

terraform import microsoft365_graph_beta_identity_and_access_authentication_strength_policy.policy <policy-id>

terraform import microsoft365_graph_beta_identity_and_access_authentication_context.context <context-id>

Best Practices

Use FIDO2, Windows Hello for Business, or certificate-based authentication for highest security.
When moving to passwordless, allow temporary access passes during transition.
Deploy new authentication requirements to pilot groups before broad rollout.
Document how to enroll and use required authentication methods.

Build docs developers (and LLMs) love

Get started for freeTalk to us