M365 Security 2025: Transitioning to Phish-Resistant MFA and Stricter Policies

Since September 30, 2025, insecure multi-factor authentication (MFA) methods such as SMS and phone call have been gradually phased out in the Microsoft Entra environment and replaced by phishing-resistant methods.

Microsoft anchors these requirements in binding security standards in the Entra Admin Center and actively drives companies to use modern authentication such as FIDO2 keys, Windows Hello for Business, and Passkeys. These changes mark a clear paradigm shift in identity security and require comprehensive technical and organizational adjustments.

Against the backdrop of the current threat landscape – according to Microsoft, more than 97% of all identity attacks are executed using password spray or brute-force methods (password spraying tests a few common passwords against many accounts, while brute-force uses classic systematic password attempts against individual accounts) and 28% of all security incidents are triggered by phishing or social engineering – 2025 becomes a question of how robust a company’s identity and security architecture is under real attacks.

Phishing-Resistant MFA: The Most Important Security Changes

A central response to the increasing attack dynamics is the consistent introduction of phishing-resistant authentication methods. Classic MFA long protected against credential stuffing – i.e., automated login attempts using previously stolen credentials – and against account hijacking, where attackers fully take over existing accounts.
Modern attackers increasingly bypass SMS codes and push confirmations through social engineering or MFA fatigue. Microsoft therefore anchors the transition to cryptographically bound MFA methods in its new security standards – methods that cannot be forwarded via phishing or intercepted via manipulated input masks.
A central element is “Token Protection”: Since 2025, Microsoft has increasingly relied on device-bound sign-in tokens that are cryptographically tied to the device that created them. This makes session hijacking and token theft significantly more difficult – an important advancement for hybrid and mobile work environments.

The Shift to Passwordless and Hardware-Based Login Methods

In addition to protecting sessions themselves, Microsoft is increasingly shifting the authentication process towards passwordless, hardware-based methods that largely eliminate the vulnerability of classic factors. Phishing-resistant methods not only replace insecure methods but fundamentally change the architecture of sign-in:

• FIDO2 Security Keys
  Hardware-based keys that store private keys locally and do not transmit sensitive data.
• Windows Hello for Business
  Biometric sign-in or PIN, where no password travels over the network – ideal for corporate devices.
• Passkeys
  WebAuthn-based logins that fully shift the sign-in to the trusted device.

Microsoft Entra uses “Authentication Strength” to precisely define which methods are permitted for certain roles, groups, or applications. This allows companies to enforce phishing-resistant MFA as mandatory and specifically exclude weak legacy methods.
These methods are the foundation. However, they only unfold their full effect when controlled via Conditional Access and embedded into a consistently hardened tenant configuration. Only this combination creates a resilient and consistently secured identity architecture.

Tenant Hardening in Microsoft Entra: The Key Controls for Robust Identity Security

Tenant hardening means above all: consistently enforcing security standards. Microsoft condenses the policy landscape through stricter baselines, consistent strong authentication, and clearly defined protection mechanisms for privileged identities.
Basic Authentication is no longer supported by Microsoft and should be consistently disabled in all remaining integrations. Entra increasingly uses policy-based controls for sensitive permissions.

• Full deactivation of all Basic Auth protocols
• Risk-based access controls via Entra ID Protection
• Strictly managed break-glass accounts for emergencies
• Role-based protection with Privileged Identity Management (PIM)

For this, companies need a clear policy stack: consistent MFA enforcement, granularly controlled Conditional Access policies, device-bound administrator access, and consistent implementation of all Microsoft baselines and managed policies.

Admin Policies, Authentication Strength & Policy Enforcement

Companies often underestimate the depth of the requirements. The Identity Secure Score in Microsoft Entra shows as a percentage how well your environment follows Microsoft’s recommended best practices. A score of over 70% is a good indicator but not a guarantee that your identity architecture is fully secured against phishing-resistant MFA (PR-MFA).
What matters is not just the score, but the density of policies, the elimination of exceptions, and the consistent implementation of admin policies, Authentication Strength policies, and policy enforcement.

Important aspects:

• Administrators must work exclusively from trusted devices.
• Session controls should limit risky actions.
• Compliance signals from endpoint security must feed into Conditional Access.
• Authentication Strength Policies must enforce PR-MFA methods – not just recommend them.

Tenant hardening arises only through the combination of technical controls, consistent policy application, and clear administrative governance.

Strategic Recommendations

Industry requirements lead to clear technical priorities: companies must adapt their identity architecture in time to meet regulatory requirements and security demands.

The following steps are essential:

• Analyze active authentication methods and identify insecure variants
• Set up FIDO2 support, Hello for Business, and Passkeys
• Enforce PR-MFA via Conditional Access with granular policies
• Deactivate SMS- and voice-based MFA methods
• Train users in the use of new methods
• Monitoring via Microsoft Secure Score and audit logs

In practice, many organizations disable Basic Auth but do not consistently apply Authentication Strength policies. The risk surface remains, even as the score rises.

Security Operations in Focus

The transition to phishing-resistant MFA, the use of passwordless methods, and the strict securing of the tenant change the security strategy of many companies. Identities become the central control point, Conditional Access the governance layer, and the tenant the clearly defined security boundary.
Companies that act early increase their resilience to phishing significantly and create a stable foundation for Zero Trust models in Microsoft 365.