CISA.MS.AAD.3.5 - The authentication methods SMS, Voice Call, and Email One-Time Passcode (OTP) SHALL be disabled.
Overviewβ
The authentication methods SMS, Voice Call, and Email One-Time Passcode (OTP) SHALL be disabled.
Rationale: SMS, voice call, and email OTP are the weakest authenticators. This policy forces users to use stronger MFA methods.
Remediation action:β
If phishing-resistant MFA has not been deployed yet and Microsoft Authenticator is in use, configure Authenticator to display context information to users when they log in.
- In Entra ID, click Security > Authentication methods
- Click on the SMS, Voice Call, and Email OTP authentication methods and disable each of them. Their statuses should be Enabled > No on the Authentication methods > Policies page.
Related linksβ
- Entra admin portal - Authentication methods
- CISA Strong Authentication & Secure Registration - MS.AAD.3.5v1
- CISA ScubaGear Rego Reference
Test Metadataβ
| Field | Value |
|---|---|
| Test ID | CISA.MS.AAD.3.5 |
| Severity | High |
| Suite | CISA |
| Category | Entra ID P1 |
| PowerShell test | Test-MtCisaWeakFactor |
| Tags | CISA, CISA.MS.AAD.3.5, Entra ID P1, MS.AAD, MS.AAD.3.5 |
Sourceβ
- Pester test:
tests/cisa/entra/Test-MtCisaWeakFactor.Tests.ps1 - PowerShell source:
powershell/public/cisa/entra/Test-MtCisaWeakFactor.ps1