3.5 Multifactor Authentication
Key Takeaways
- Multifactor authentication requires additional proof beyond a single password.
- MFA is an identity security control because it strengthens the authentication step.
- MFA scenarios should be separated from authorization topics such as roles and access reviews.
- SC-900 often frames MFA as a way to reduce risk from compromised or guessed passwords.
Why MFA is central to identity security
Multifactor authentication, or MFA, strengthens authentication by requiring more proof than a password alone. That aligns with the SC-900 theme that identity is a primary security perimeter. A stolen or guessed password is less useful to an attacker when the sign-in process asks for another factor. For the exam, the important point is not a specific device model or app screen; it is the reason MFA exists and where it sits in the access flow.
- MFA is part of authentication, not data governance.
- MFA adds proof beyond a single password.
- MFA helps address password-only sign-in risk.
- MFA can be discussed alongside Conditional Access, but it remains a sign-in control.
MFA compared with nearby controls
MFA is sometimes mentioned in the same scenario as Conditional Access, roles, or Identity Protection. The distinction is the job each control performs. MFA strengthens sign-in proof. Conditional Access evaluates signals and controls for access decisions. Roles grant administrative or resource permissions. Identity Protection deals with identity risk detection and response. Keeping those purposes separate prevents product-matching mistakes.
| Capability | Primary job |
|---|---|
| Multifactor authentication | Require stronger proof during sign-in |
| Conditional Access | Evaluate conditions and apply access controls |
| Entra roles | Grant administrative capabilities |
| Identity Protection | Work with identity risk signals and responses |
Practical exam cues
Look for MFA when the problem statement says password-only sign-in is not enough, users need an additional verification step, or administrators want stronger assurance before access is granted. Do not choose MFA when the core need is to review whether a user should still have access, because that is an access review topic. Do not choose MFA when the core need is temporary elevated privileges, because that points to Privileged Identity Management.
- Additional verification step: MFA.
- Periodic check of continued access need: access reviews.
- Temporary privileged role activation: Privileged Identity Management.
- Risk-based identity response: Identity Protection.
MFA in the bigger Entra story
MFA is one control in a larger identity approach. It does not tell you whether someone should be a global administrator, whether an entitlement should continue, or whether a risky sign-in should trigger a response. Those are handled by roles, governance, and Identity Protection topics in the next chapter. For this chapter, keep MFA tied to sign-in proof and password risk reduction. When a question says stronger proof but does not mention lifecycle review or role activation, MFA should stay high on your answer list.
- MFA strengthens authentication.
- Roles define administrative capability.
- Governance reviews continued access need.
- Identity Protection deals with identity risk signals.
- Exam anchor: added proof during sign-in, not ongoing access certification.
What is the main purpose of multifactor authentication in Microsoft Entra ID?
Which exam clue most strongly indicates MFA?
Why is MFA especially useful when passwords are at risk?