E8 Guide | Multi-factor Authentication

Multi-factor authentication (MFA) strengthens account security by requiring two or more forms of verification. This makes it much harder for attackers to gain unauthorised access, even if credentials are compromised. The ACSC recommends MFA for all privileged accounts, remote access, and access to sensitive systems. Devicie supports this strategy by configuring Windows Hello for Business (WHfB) to meet the E8 requirements for MFA at the device level.

What's Covered

Devicie supports the following controls related to multi-factor authentication:

• Configuration of Windows Hello for Business through Intune policy templates.

• MFA using secure methods such as PIN plus TPM-backed credentials or biometrics.

• Device-level MFA enforcement integrated with Microsoft Entra ID.

• Deployment of authentication method policies without requiring manual setup on each device.

What’s Not Covered

The following areas are outside Devicie’s scope and remain the responsibility of the customer:

• MFA enforcement for cloud apps and services via Conditional Access — this must be configured in Microsoft Entra ID.

• Integration with third-party MFA providers (e.g. Duo, Okta) outside of WHfB.

• MFA for legacy applications or services that do not support modern authentication.

• Continuous monitoring or enforcement of MFA usage across non-managed devices.

Potential Impact and Callouts

When implementing this Essential Eight mitigation strategy, it's important to understand the impacts on your environment and end users so that you can better plan your change processes.

• Full compliance depends on customer configuration of Conditional Access to enforce MFA for all required scenarios.

• Devices must have compatible hardware (e.g. TPM, biometric sensors) to use WHfB.

• Some older applications may not work if they do not support modern authentication.

Devicie Delivered Controls

Customer Responsibility