I'm looking for help on enabling phishing resistant MFA for my Admin account in Microsoft Defender. I've received a recommendation to enable this feature, but I'm feeling stuck. There are options like FIDO2, Windows Hello for Business, and Certificates, but I don't see any way to enable them for my Admin account. I have separate user and Admin accounts in Entra. My user account has an E5 license and Windows Hello for Business already set up, while my Admin account is cloud-only and doesn't sync with AD. Can someone guide me through how to enable this MFA for my Admin account?
2 Answers
About your question, it's crucial to have different methods for admin accounts—like a physical security key can be more secure than Windows Hello. You might want to consider setting a dedicated machine for your admin logins if that's feasible.
It sounds like you're looking to set a Conditional Access policy for Phishing-resistant MFA. You should be able to define which authentication methods are allowed—like FIDO2 or Windows Hello. Just remember, admins need to be pre-registered for these methods before the policy kicks in. You might want to check if your admin account is set up for one of the methods first!
Great point! Also, make sure any settings around authentication strengths are checked in the Azure portal. This will ensure you're applying the right policies.
Totally agree! Having a separate machine can enhance security; makes it easier to manage access. But if you go the security key route, don't forget to check the FIDO setup in your account!