DSInternalsAuthentication Methods Available in Azure Active Directory
Authentication Method Comparison
| Method | PHR | Passwordless | SSPR | Winlogon | RDP (AD) | RDP (AAD) | RADIUS | Mobile | Web | Primary Factor | 2nd Factor |
|---|---|---|---|---|---|---|---|---|---|---|---|
| Password Only | ❌ | ❌ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ❌ |
| FIDO2 Security Key | ✅ | ✅ | ❌ | ✅ | ◐ | ✅ | ❌ | ◐ | ✅ | ✅ | ✅ |
| Microsoft Authenticator (Push) | ❌ | ❌ | ✅ | ❌ | ❌ | ✅ | ✅ | ✅ | ✅ | ❌ | ✅ |
| Microsoft Authenticator (Passwordless) | ❌ | ✅ | ❌ | ✅ | ◐ | ✅ | ❌ | ✅ | ✅ | ✅ | ❌ |
| Windows Hello for Business | ✅ | ✅ | ❌ | ✅ | ◐ | ✅ | ❌ | ❌ | ✅ | ✅ | ❌ |
| Certificate on a Smart Card | ✅ | ✅ | ❌ | ✅ | ✅ | ✅ | ✅ | ◐ | ✅ | ✅ | ✅ |
| Software TOTP Token | ❌ | ❌ | ✅ | ❌ | ❌ | ✅ | ✅ | ✅ | ✅ | ❌ | ✅ |
| Hardware OATH Token | ❌ | ❌ | ✅ | ❌ | ❌ | ✅ | ✅ | ✅ | ✅ | ❌ | ✅ |
| SMS | ❌ | ❌ | ✅ | ❌ | ❌ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ |
| Temporary Access Pass | ❌ | ❌ | ❌ | ✅ | ◐ | ✅ | ❌ | ✅ | ✅ | ✅ | ❌ |
| Voice Call | ❌ | ❌ | ✅ | ❌ | ❌ | ✅ | ✅ | ✅ | ✅ | ❌ | ✅ |
| Email OTP | ❌ | ❌ | ✅ | ❌ | ❌ | ✅ | ❌ | ✅ | ✅ | ✅ | ❌ |
| Security Questions | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ |
Notes
- The table does not cover Federated MFA.
- RDP to AD-only joined devices with FIDO2 Security Keys, Windows Hello for Business, and Temporary Access Pass only works with the Remote Credential Guard and Restricted Admin features. The Azure AD Kerberos trust is required in some scenarios.
- Smart card support depends on the specific OS and HW combination used.
- FIDO2 security keys do not work on Android phones yet.
-
Even though mobile phones do not directly support Windows Hello for Business, it can still be used indirectly in the Microsoft Authenticator app with the OAuth 2.0 device code authentication flow:
Disclaimer
The table might have gotten outdated since it had been created. Feel free to ping me if you discover any errors in it.