If phishing-resistant MFA has not been enforced, an alternative MFA method SHALL be enforced for all users.

Why This Matters

Even when phishing-resistant MFA is not fully deployed, having a secondary MFA method enforced for every user provides a critical defense against credential theft and unauthorized access. Without this fallback, accounts remain vulnerable to password-based attacks such as brute force or credential stuffing, which can lead to data breaches or compliance failures.

What Aether365 Checks

This check verifies that for all users in your Microsoft Entra ID tenant, an alternative MFA method is enforced when phishing-resistant MFA (such as FIDO2 or certificate-based authentication) has not been implemented. It appears in the Aether365 dashboard under the Entra ID (entra-id) service category.