How I Set Up Entra ID Authentication Strengths for CMMC Level 2

If one stolen password can still open SharePoint or Exchange Online, the identity side of your CMMC story is weak.

When I help security teams tighten Microsoft 365 access, I don’t start with “turn on MFA” and call it done. I use Entra ID authentication strengths to control which sign-in methods are allowed for which users, apps, and risk points. That supports CMMC Level 2 well, but it does not replace the rest of your compliance work.

Why authentication strengths matter for CMMC Level 2

Authentication strengths are a Conditional Access control in Microsoft Entra ID. They let me say, in plain terms, “this app requires this class of authentication.” That is more useful than a broad MFA prompt, because not all MFA methods carry the same risk. Microsoft’s authentication strengths overview and how the policy engine evaluates them are worth reading before rollout.

I usually explain the built-in strengths this way:

Strength	What it allows	Where I use it
MFA	Broad MFA options, including weaker methods	Transitional rollout for lower-risk users
Passwordless MFA	Windows Hello, FIDO2, passwordless phone sign-in	Managed endpoint groups
Phishing-resistant MFA	FIDO2, Windows Hello for Business, strong certificate-based methods	Admins, CUI apps, high-risk access

For CMMC Level 2, this lines up with three plain-English expectations. First, Access Control means only the right people reach CUI-related systems, under the right conditions. Second, Identification and Authentication means users prove who they are with approved methods, not whatever happens to be registered. Third, MFA needs to cover privileged access and network access in ways an assessor can trace and verify. Microsoft’s CMMC Level 2 IA guidance and AAL2 guidance help connect those dots.

Authentication strengths support CMMC evidence, but they don’t cover logging, device state, admin process, or documentation by themselves.

Because of that, I treat phishing-resistant MFA as the target for admin roles and CUI-facing apps. I may allow broader MFA during migration, but I don’t leave it there longer than needed.

The Entra ID prerequisites I verify first

Before I touch a policy, I confirm licensing and role requirements. Authentication strengths depend on Conditional Access, so I want licensing that supports it. In many SMB tenants, that starts with Entra ID P1-class licensing, often through Microsoft 365 Business Premium. For stricter CMMC programs, I often see P2, because Privileged Identity Management and risk-based controls help. If contract terms or export rules push you toward government cloud, check that boundary early and document it in your System Security Plan, along with Microsoft’s broader CMMC configuration guidance.

Next, I verify method readiness. Users need matching methods registered before a policy bites them. My preferred order is FIDO2 security keys, Windows Hello for Business on managed Windows devices, and certificate-based auth where smart cards or PKI already exist. I keep backup methods on hand, because lost keys happen. I also want device compliance in place through Intune or an equivalent control, and I block legacy authentication before I expect clean results.

This work rarely sits alone. In my Small Business IT projects, identity hardening usually lands beside Cloud Infrastructure cleanup, Office 365 Migration work, and old Data Center Technology that still feeds line-of-business apps. For hospitality clients, Restaurant POS Support and Kitchen Technology Solutions add shared endpoints and fast staff turnover, so Cybersecurity Services have to include Endpoint Security and Device Hardening, not only sign-in rules. That is why I package this under Innovative IT Solutions, Tailored Technology Services, Cloud Management, and Technology Consulting. A real Business Technology Partner ties identity to Infrastructure Optimization, Digital Transformation, Secure Cloud Architecture, Managed IT for Small Business, a practical IT Strategy for SMBs, and stronger Business Continuity & Security.

How I configure authentication strengths and Conditional Access

I keep setup simple and testable.

1. I enable the methods I want to allow. For CMMC-sensitive access, that usually means FIDO2, Windows Hello for Business, and certificate-based auth. Microsoft added useful 2026 features such as external MFA support and passkey profiles, but for CUI access I still anchor policy around methods that clearly meet the stronger built-in controls.
2. I review whether a built-in strength is enough. In many cases, “Phishing-resistant MFA” is already the right answer. If I need tighter control, I create a custom strength from the advanced authentication strengths options. As of 2026, I can create up to 15 custom strengths, but I keep that number low. Too many custom policies turn cleanup into a guessing game.

3. I build Conditional Access in report-only mode first. My normal pattern is Users or workload groups, then target apps, then add conditions. For CUI-heavy Microsoft 365 use, that often means Exchange Online, SharePoint Online, Teams, and any custom enterprise apps that store or process regulated data. Under Grant, I choose “Require authentication strength.” If the app handles CUI, I also require a compliant device or other approved device signal. Microsoft’s CMMC access control guidance is helpful here. 4. I split policies by risk, not by convenience. Admin portals and privileged roles get phishing-resistant MFA from day one, often with PIM on top. General users may start with a broader MFA strength during a short adoption window. If I’m mid-tenant cleanup or an Office 365 Migration, I move the new cloud apps into the stronger policy first, because fresh architecture is easier to lock down than legacy sprawl.

A few method choices are worth calling out. I prefer FIDO2 keys for admins and for users who move across devices. Windows Hello for Business is excellent on company-managed Windows 11 systems with TPM-backed hardware. Certificate-based auth still fits well for firms with mature PKI, smart cards, or strict workstation controls. I avoid SMS and voice for anything tied to CUI if I can help it. They may satisfy a basic MFA check, but they don’t give me the same confidence or assessor story.

Rollout strategy, exclusions, and user impact

A bad rollout can wreck trust in a good control, so I pilot first. I use a small group with clear ownership, review sign-in logs, and watch for apps that break on older auth flows. Then I expand to one department at a time. Help desk scripts matter here, because most pain points are simple: a user lost a key, changed phones, or hit an app that still expects an old prompt.

I keep exclusions tight. Broad admin exclusions are how “temporary” gaps turn permanent. For emergency access, I maintain two break-glass accounts that are cloud-only, heavily monitored, and excluded only where needed to recover the tenant if Conditional Access fails. They should not have mailboxes, they should have long stored credentials, and I test them on a schedule. Service accounts are another trap. If a process doesn’t support strong interactive auth, I move it toward managed identities, app registrations, or certificate-based approaches instead of letting a user account float outside policy.

Guest access also needs a decision. In some cases, I trust MFA from the partner’s home tenant. In others, I challenge in the resource tenant. Either choice needs to be written down, because an assessor will care more about consistent practice than vague intent.

For evidence, I save policy exports, screenshots, sign-in reports, method coverage, and exception records. That proof matters almost as much as the control.

Conclusion

Strong identity control is one of the clearest wins in CMMC Level 2 work, and Entra ID authentication strengths give me a clean way to enforce it.

If I had to pick one starting point, I would put phishing-resistant MFA on privileged roles and CUI-facing apps, run report-only first, and keep emergency access separate and documented. That approach is practical, supportable, and much closer to what a compliance-minded security team needs in 2026.