🎯 Purpose
✅ Define which authentication methods are accepted as multi‑factor authentication (MFA) to support Essential Eight – Maturity Level 1.
👥 Who is affected
✅ Users: All users (when referenced by a Conditional Access policy)
🚫 Exclusions: None
➡️ Any user subject to MFA must meet this authentication strength.
☁️ What access is protected
✅ Applications: All cloud applications (via Conditional Access)
✅ Client types: Browser, mobile, desktop
➡️ Applies wherever this authentication strength is enforced.
🔐 How MFA is enforced
✅ Requires at least one valid MFA combination
✅ Satisfies Microsoft’s “mfa” requirement
✅ Allows a broad set of MFA‑capable authentication methods
➡️ Password‑only authentication is not permitted.
ℹ️ Note:
Phishing‑resistant MFA is allowed but not required at Maturity Level 1.
⚙️ What this policy does NOT enforce
🚫 Phishing‑resistant MFA only
🚫 Minimum assurance rules
🚫 Mandatory authentication method combinations
➡️ This is intentional for Maturity Level 1.
🟢 Policy status
✅ Enabled
✅ Available for use in Conditional Access policies
📘 Essential Eight Alignment
✅ Supports Essential Eight – Multi‑Factor Authentication (Maturity Level 1)
✅ Ensures MFA can be satisfied without forcing high‑assurance methods
ℹ️ Phishing‑resistant MFA is addressed in M2/M3
📘 Practical Interpretation (Executive‑Friendly)
This authentication strength ensures that:
✅ Users must authenticate using MFA
✅ Multiple Microsoft‑approved MFA methods are permitted
✅ Stronger authentication can be introduced later without redesign
This provides the baseline MFA capability required for Essential Eight Maturity Level 1 while allowing progression to higher maturity levels.