A.5.17 Authentication Information

What is this control?

ISO 27001 control A.5.17 Authentication Information ensures proper entity authentication and protection of authentication information to prevent failures of authentication processes. The control mandates multi-factor authentication for all access, enforces phishing-resistant MFA for privileged roles, implements passwordless endpoint authentication via Windows Hello, and detects and blocks compromised credentials. Microsoft Entra ID provides the technical enforcement infrastructure.

How to implement in Microsoft 365

Implement A.5.17 by configuring Conditional Access policy to require MFA for all users with standard authentication via Authenticator app with number matching. Configure Authentication Strength policy requiring phishing-resistant MFA including FIDO2, Windows Hello, or passwordless Authenticator for PIM role activation. Deploy Windows Hello for Business as primary endpoint authentication using biometric or PIN.

Enforce password complexity standards and ban common passwords via Entra ID Password Protection. Configure Self-Service Password Reset registration as mandatory for all users. Configure Microsoft Entra Identity Protection to automatically block high-risk sign-ins.

What an auditor looks for

Auditors will verify Conditional Access policy showing MFA is required for all users. They will check Authentication Strength configuration requiring phishing-resistant MFA for admin roles. Auditors will review password protection configuration with custom banned password list.

They will verify SSPR registration rates meet the 95% target. Auditors will check Identity Protection configuration blocking high-risk sign-ins. They will review Sentinel alerts for blocked or high-risk users and verify temporary password change requirements for new accounts.

Related controls

• A.5.15
• A.8.5