CIS.M365.5.2.3.5 - Ensure weak authentication methods are disabled
Overviewβ
5.2.3.5 (L1) Ensure weak authentication methods are disabled
Authentication methods support a wide variety of scenarios for signing in to Microsoft 365 resources. Some of these methods are inherently more secure than others but require more investment in time to get users enrolled and operational.
SMS and Voice Call rely on telephony carrier communication methods to deliver the authenticating factor.
The recommended state is to Disable these methods:
- SMS
- Voice Call
Rationaleβ
Traditional MFA methods such as SMS codes, email-based OTPs, and push notifications are becoming less effective against todayβs attackers. Sophisticated phishing campaigns have demonstrated that second factors can be intercepted or spoofed. Attackers now exploit social engineering, man-in-the-middle tactics, and user fatigue (e.g., MFA bombing) to bypass these mechanisms. These risks are amplified in distributed, cloud-first organizations with hybrid workforces and varied device ecosystems.
The SMS and Voice call methods are vulnerable to SIM swapping which could allow an attacker to gain access to your Microsoft 365 account.
Impactβ
There may be increased administrative overhead in adopting more secure authentication methods depending on the maturity of the organization.
Remediation action:β
- Navigate to Microsoft Entra admin center.
- Click to expand Entra ID > Authentication methods
- Select Policies.
- Inspect each method that is out of compliance and remediate:
- Click on the method to open it.
- Change the Enable toggle to the off position.
- Click Save.
Note: If the save button remains greyed out after toggling a method off, then first turn it back on and then change the position of the Target selection (all users or select groups). Turn the method off again and save. This was observed to be a bug in the UI at the time this document was published.
PowerShellβ
- Connect to Graph using
Connect-MgGraph -Scopes "Policy.ReadWrite.AuthenticationMethod" - Run the following to disable these two authentication methods:
$params = @(
@{ Id = "Sms"; State = "disabled" },
@{ Id = "Voice"; State = "disabled" }
)
Update-MgPolicyAuthenticationMethodPolicy -AuthenticationMethodConfigurations $params
Related linksβ
- Microsoft Entra admin center
- Manage authentication methods for Microsoft Entra ID
- Context and problem
- What is SIM swapping & how does the hijacking scam work?
- CIS Microsoft 365 Foundations Benchmark v6.0.1 - Page 288
Test Metadataβ
| Field | Value |
|---|---|
| Test ID | CIS.M365.5.2.3.5 |
| Severity | Unknown |
| Suite | CIS |
| Category | CIS E3 Level 1 |
| PowerShell test | Test-MtCisWeakAuthenticationMethodsDisabled |
| Tags | CIS, CIS E3, CIS E3 Level 1, CIS E5, CIS E5 Level 1, CIS M365 v6.0.1, CIS.M365.5.2.3.5, L1, Security |
Sourceβ
- Pester test:
tests/cis/Test-MtCisWeakAuthenticationMethodsDisabled.Tests.ps1 - PowerShell source:
powershell/public/cis/Test-MtCisWeakAuthenticationMethodsDisabled.ps1