Azure MFA and NIST requirements

Occasional Contributor

Hi there,


I am currently involved in a SharePoint project dealing with high security requirements and I have some problems matching NIST requirements with Azure MFA ways to authenticate.

NIST 800-63b ( ), chapter 5.1 talks about different authenticator types like memorized secret, OTP devices, cryptographic devices and so on.


As far as I know, MFA offers authentication based on SMS or the Authenticator app. Which type of authenticator is this? I found some slides from Microsoft saying that NIST Assurance Level 3 can be achieved with Azure MFA. but if I understand this correctly, Level 3 needs for example a multi factor cryptographic device or a multi factor OTP hardware together with a cryptographic device....


How does this match with using SMS or Authenticator app? Especially when user accesses the application with his mobile device which is the same? Thank you very much in advance :)





4 Replies
best response confirmed by Ralph Göbel (Occasional Contributor)

I'm afraid I'm far from an expert in this realm, but I believe that the Authenticator app can function as an OTP and an out-of-band device. It functions in OTP mode when you have it setup to give you a one-time code each time you need to log in, and it functions in out-of-band mode when you have it set up to send the user a prompt via Authenticator that they must respond to in order to complete sign in. Hopefully this at least helps a bit Ralph!

Hi Grant,


sorry for delay in reply and thank you very much for sharing your thoughts. I think the idea is not to enable e.g. SMS as authentication method, but only codes inside the authenticator app. This will be considered as out of band, even user tries to access services from the same device.


Thanks and regards!



No worries at all! I believe you are correct about that, the Authenticator prompt seems to be the preferred method going forward. There have been some security issues around the global telecom system that manages SMS, so most companies seem to be trying to discourage anyone from using that method anymore if possible.



Here is a  Microsoft document that accomplishes what you are looking to address. The report answers your question directly.  I have added the document for your convenience.  However, you can also reference the work here:


Azure Multi-Factor Authentication enables compliance with regulatory requirements for multi-factor authentication such as the following ones to [a] name of few:

  • NIST 800-63 Electronic Authentication Guidelines for Level 3 Assurance,
  • HIPAA Requirements Relative to Electronic Protected Health Information (EPHI),
  • Payment Card Industry Data Security Standards (PCI DSS),
  • Criminal Justice Information System (CJIS) Security Policy,
  • Authentication in an Internet Banking Environment Guidance (FFIEC).
    (Beraud, Jumelet, & Grasse, 2015, p. 12)




Beraud, P., Jumelet, A., & Grasse, J. (2015). Leverage Azure Multi-Factor Authentication with Azure AD - Microsoft(pp. 1-40, Rep.). Microsoft France.