Not all MFA is created equal. While SMS codes or push notifications are better than nothing, they're still vulnerable to phishing and "MFA fatigue" attacks. Admin accounts, which hold the keys to your entire tenant, need stronger protection. Phishing-resistant MFA like FIDO2 security keys provides cryptographic authentication that can't be easily tricked or replayed.
The Risk If Ignored
-
Phishing attacks succeed: Admins may still approve fraudulent login prompts.
-
Push fatigue exploitation: Attackers bombard admins with MFA requests until they click “approve” out of frustration.
-
Tenant-wide compromise: If an admin account falls, attackers can disable defenses and spread laterally.
How to Implement
-
Go to Entra ID Admin Center.
-
Navigate: Security > Authentication methods.
-
Enable FIDO2 Security Keys as an available method.
-
Distribute keys to all users with privileged admin roles.
-
Create a Conditional Access policy:
-
Target administrative roles.
-
Require phishing-resistant MFA (FIDO2).
-
Block weaker methods for these accounts.
Commonly Overlooked Pitfalls
-
Half adoption: Enabling FIDO2 without requiring it means admins may fall back on weaker methods.
-
Lost keys: Admins need backup methods (e.g., a second FIDO2 key) to avoid lockouts.
-
Exempted accounts: Break-glass accounts must be secured separately but never left wide open.
Steps to Strengthen Protection
-
Provide backup options
-
Harden break-glass accounts
-
Audit MFA usage
-
Train your admins
Admin accounts deserve the strongest locks. By enforcing phishing-resistant MFA with FIDO2 keys, you close the door on phishing kits and MFA fatigue attacks. Strong authentication for privileged users isn't just best practice it's essential survival.
