Phishing-resistant MFA SHALL be required for highly privileged roles.

Why This Matter

Highly privileged roles in Microsoft Entra ID, such as Global Administrator or Privileged Role Administrator, have extensive control over the tenant. Without phishing-resistant multifactor authentication (MFA), these accounts are vulnerable to sophisticated credential theft attacks like MFA fatigue or attacker-in-the-middle phishing. Enforcing phishing-resistant MFA for these roles is a critical security baseline to protect your organization from account takeover and lateral movement by attackers.

What Aether365 Checks

This check verifies that Microsoft Entra ID authentication policies require phishing-resistant MFA for all users assigned to highly privileged administrative roles. You can view this result under the entra-id checks category in your Aether365 compliance dashboard.