Authentication methods in Microsoft Entra ID: SSO, MFA, and passwordless

Short Summary

In this lesson, you’ll learn how Microsoft Entra ID handles sign-ins and how to tell apart Single Sign-On (SSO), multifactor authentication (MFA), and passwordless authentication. You’ll see what problem each one solves and how they’re commonly combined. By the end, you should be able to pick the right approach from a short real-world scenario.

Learning Objectives

By the end of this lesson, you will be able to:

• Define Single Sign-On (SSO) and when it improves the sign-in experience.
• Explain multifactor authentication (MFA) and what “authentication factors” mean.
• Describe passwordless authentication and name common examples in Microsoft Entra ID.
• Differentiate SSO vs MFA vs passwordless using short scenarios.
• Outline a simple, layered sign-in approach that uses more than one method.

Core Concepts

Authentication is how you prove “I am who I say I am” during sign-in.

In Azure and Microsoft 365, authentication is typically handled by Microsoft Entra ID (formerly Azure Active Directory (Azure AD)), which acts as an identity provider for users and applications.

Single Sign-On (SSO)

Single Sign-On (SSO) is about how often you need to sign in.

With SSO, you sign in once (to your identity provider), and then you can access multiple applications without signing in again and again—until your session expires or a policy forces you to reauthenticate. The main benefit is convenience and fewer repeated prompts across apps.

Multifactor Authentication (MFA)

Multifactor authentication (MFA) is about how strongly you prove your identity.

MFA requires two or more verification factors. A common way to remember factors is:

• Something you know (for example, a password)
• Something you have (for example, a phone or security key)
• Something you are (for example, biometrics)

MFA is often used to reduce the risk of account takeover when a password is stolen or guessed.

Passwordless authentication

Passwordless authentication is about whether you use a password at all.

Instead of a password, you sign in using a stronger method—usually tied to a device and protected by biometrics or a Personal Identification Number (PIN). Common examples include:

• Passkeys (Fast Identity Online 2 (FIDO2))
• Windows Hello for Business
• FIDO2 security keys (hardware keys)

Passwordless methods are widely used to reduce phishing, password spray, and other password-based attacks.

A quick rule to remember

• SSO = sign in once across many apps
• MFA = add extra proof at sign-in
• Passwordless = replace the password with a stronger method

These are not competing features. It’s normal to combine them (for example: SSO for convenience, plus MFA for stronger sign-ins, plus passwordless to reduce password risk).

Practical Understanding

Practical Situation 1: When you see “one login for many apps,” think SSO

A company uses many cloud applications and wants users to sign in once and then access those apps without repeated sign-in prompts. They also want sign-in to be centrally managed.

How to think about it: This is an SSO requirement: one sign-in session can be reused to access multiple apps.

Common misunderstanding: “SSO means no authentication.” You still authenticate—SSO just reduces repeated sign-ins.

Practical Situation 2: When you see “extra step beyond password,” think MFA

A company wants to reduce account takeover risk from stolen passwords by requiring an extra verification step. They want this protection broadly, not only for administrators.

How to think about it: This is an MFA requirement: you add one more factor (or more) during sign-in to strengthen identity verification.

Common misunderstanding: “MFA is only for admins.” Admins absolutely need it, but regular user accounts are also common targets.

Practical Situation 3: When you see “stop using passwords,” think passwordless

A company wants to reduce phishing and password spray risks by moving away from passwords. They want users to sign in using device-based credentials.

How to think about it: This is a passwordless goal: you replace the password with a method like a passkey (FIDO2) or Windows Hello for Business.

Common misunderstanding: “Passwordless means no identity verification.” You still verify identity—just without a password.

Practical Situation 4: When you see “we want all three,” think “layered strategy”

A company wants users to access multiple apps easily, wants stronger verification at sign-in, and wants to reduce password attacks by using passwordless methods.

How to think about it: This maps cleanly to three capabilities: SSO for “one sign-in across apps,” MFA for “extra verification,” and passwordless for “reduce/remove passwords.”

Common misunderstanding: “Turning on SSO automatically turns on MFA and passwordless.” These are separate capabilities and are configured separately.

Common Pitfalls

• Mistake: Thinking that Single Sign-On (SSO) is automatically less secure because users sign in only once. Correction: SSO centralizes sign-in and can be very secure when paired with strong authentication and sensible session policies.

• Mistake: Treating multifactor authentication (MFA) as “admin-only.” Correction: MFA helps protect all users because password theft and phishing target everyone, not just admins.

• Mistake: Assuming passwordless is just “convenience” and not a security improvement. Correction: Passwordless removes the password step, which helps reduce common password-based attacks.

• Mistake: Believing SSO, MFA, and passwordless are mutually exclusive choices. Correction: They solve different problems and are commonly combined.

• Mistake: Rolling out a strong method for some apps/users and forgetting the rest. Correction: Start with a clear rollout plan (who, which apps, and which methods) and expand coverage over time.

Check Your Understanding

1. In one sentence, explain what SSO changes in the sign-in experience compared to “no SSO.”
2. Give one example of each MFA factor type (know / have / are).
3. Describe a passwordless sign-in flow (what the user does, and what replaces the password).
4. For a company using many SaaS apps, explain when SSO helps and when it doesn’t help.
5. Write a 3-line plan for using SSO, MFA, and passwordless together (one line per method).

Further Reading

• Microsoft Entra ID: What is single sign-on (SSO)? — https://learn.microsoft.com/en-us/entra/identity/enterprise-apps/what-is-single-sign-on
• Microsoft Entra authentication overview — https://learn.microsoft.com/en-us/entra/identity/authentication/overview-authentication
• How multifactor authentication works — https://learn.microsoft.com/en-us/entra/identity/authentication/concept-mfa-howitworks
• Passkeys (FIDO2) in Microsoft Entra ID — https://learn.microsoft.com/en-us/entra/identity/authentication/concept-authentication-passkeys-fido2