Anavem
EnglishFrancais
Anavem
Languagefr
Cybersecurity analyst configuring Microsoft Entra Face Check authentication system on multiple monitors

How to Configure Microsoft Entra Face Check for Phishing-Resistant Recovery

Set up Microsoft Entra ID's phishing-resistant account recovery using government ID validation and Face Check biometric verification to eliminate weak authentication fallbacks.

May 13, 2026 18 min
Start procedure
Hardmicrosoft-entra8 steps 18 min

Why Implement Microsoft Entra Face Check for Account Recovery?

Traditional account recovery methods like SMS codes, email OTPs, and temporary passwords create significant security vulnerabilities. These legacy approaches are susceptible to SIM swapping, email compromise, and social engineering attacks that can lead to complete account takeover. Microsoft's new phishing-resistant account recovery system addresses these weaknesses by implementing government ID validation combined with live Face Check biometric verification.

What Makes This Recovery Method Phishing-Resistant?

The Face Check system uses zero-knowledge proofs and biometric matching against government-issued identification documents. Unlike traditional MFA methods that can be intercepted or replayed, this approach requires physical presence and cannot be remotely compromised. The system validates the authenticity of government IDs using advanced document verification techniques and matches them against live facial biometrics captured in real-time.

How Does Microsoft Entra Verified ID Integration Work?

Microsoft Entra Verified ID provides the underlying infrastructure for secure identity verification through trusted IDV providers in the Microsoft Security Store. These providers offer high-assurance identity verification that meets government and enterprise security standards. The integration eliminates the need for custom API development while ensuring compliance with privacy regulations through zero-knowledge architecture where biometric data is never stored.

This tutorial will guide you through implementing this cutting-edge security feature in your Microsoft Entra environment, from initial configuration through monitoring and compliance reporting. You'll learn to eliminate weak authentication fallbacks while maintaining user accessibility through a streamlined recovery process that completes in minutes rather than hours or days.

Implementation Guide

Full Procedure

01

Enable Account Recovery Preview Feature

First, we'll enable the account recovery preview feature in your Microsoft Entra tenant. This feature is currently in public preview and requires explicit activation.

# Connect to Microsoft Graph PowerShell
Connect-MgGraph -Scopes "Policy.ReadWrite.AuthenticationMethod"

# Verify tenant has required licensing
Get-MgSubscribedSku | Where-Object {$_.SkuPartNumber -like "*ENTERPRISEPREMIUM*"}

Navigate to the Microsoft Entra admin center at entra.microsoft.com and sign in with your Global Administrator account.

Go to Identity > Authentication > Account recovery. If you don't see this option, your tenant may not have preview features enabled. Click Preview features in the left navigation and enable Account Recovery.

Pro tip: Always test preview features in a non-production tenant first. Create a dedicated test tenant if you don't have one.

Verification: You should see the Account recovery blade with options to create recovery profiles. If the feature isn't available, contact Microsoft support to enable preview access for your tenant.

02

Create Phishing-Resistant Recovery Profile

Now we'll create a recovery profile that enforces phishing-resistant authentication methods and excludes legacy fallbacks like OTPs and temporary passwords.

In the Account recovery blade, click Profiles tab, then Create profile:

  • Profile name: "Phishing-Resistant Recovery"
  • Description: "High-assurance recovery using government ID + Face Check"
  • Recovery mode: Select Self-service
  • Authentication methods allowed: Uncheck SMS, Voice, Email OTP
  • Identity verification required: Enable

Configure the target users section:

{
  "targetUsers": {
    "includeGroups": ["sg-pilot-users"],
    "excludeGroups": ["sg-break-glass-admins"],
    "includeRoles": [],
    "excludeRoles": ["Global Administrator"]
  },
  "recoverySettings": {
    "requireIdentityVerification": true,
    "allowedMethods": ["FIDO2", "PasskeyPlatform"],
    "blockedMethods": ["SMS", "Voice", "EmailOTP", "TemporaryPassword"]
  }
}
Warning: Never include Global Administrators in recovery profiles during initial testing. Always maintain at least two break-glass admin accounts that bypass all MFA requirements.

Verification: Save the profile and confirm it appears in the profiles list with status "Active". Check that your pilot security group is correctly assigned.

03

Configure Identity Verification Provider

Connect an Identity Verification (IDV) provider that supports government ID validation and Face Check biometric verification through the Microsoft Security Store.

In your recovery profile, click Connect identity verification provider. This opens the guided setup wizard.

Click Browse Microsoft Security Store and select a provider that supports:

  • Government-issued ID document verification
  • Live Face Check (biometric matching)
  • Microsoft Entra Verified ID integration

Configure the IDV settings:

# IDV Provider Configuration
verification_type: "government_id_plus_biometric"
assurance_level: "high"
supported_documents:
  - "drivers_license"
  - "passport"
  - "national_id"
biometric_methods:
  - "face_check_live"
privacy_settings:
  - "zero_knowledge_proofs": true
  - "biometric_storage": false
  - "data_retention_days": 30

Complete the provider integration by following the guided setup. The system will automatically configure API connections and webhook endpoints.

Test the integration: Use the "Test recovery" button in the admin center with a test user account. Upload a sample government ID and complete the Face Check process.

Pro tip: Document your IDV provider's specific requirements and supported ID types. Different providers may have varying document quality requirements and regional availability.

Verification: The provider should show as "Connected" with a green status indicator. Test recovery should complete successfully within 2-3 minutes.

04

Enable FIDO2 and Passkey Authentication Methods

Configure FIDO2 security keys and platform authenticators (passkeys) as the primary phishing-resistant authentication methods for account recovery.

Navigate to Identity > Authentication > Authentication methods > Policies.

Configure FIDO2 Security Key policy:

{
  "id": "Fido2",
  "state": "enabled",
  "includeTargets": [
    {
      "targetType": "group",
      "id": "sg-pilot-users",
      "isRegistrationRequired": false,
      "authenticationMode": "any"
    }
  ],
  "isAttestationEnforced": true,
  "isSelfServiceRegistrationAllowed": true,
  "keyRestrictions": {
    "aaGuids": [],
    "enforcementType": "allow",
    "isEnforced": false
  }
}

Enable Microsoft Authenticator with passkey support:

# PowerShell configuration for Authenticator passkeys
$policy = @{
    "@odata.type" = "#microsoft.graph.microsoftAuthenticatorAuthenticationMethodConfiguration"
    "state" = "enabled"
    "includeTargets" = @(
        @{
            "targetType" = "group"
            "id" = "sg-pilot-users"
            "authenticationMode" = "any"
        }
    )
    "isSoftwareOathEnabled" = $false
    "featureSettings" = @{
        "displayAppInformationRequiredState" = @{
            "state" = "enabled"
            "includeTarget" = @{
                "targetType" = "group"
                "id" = "sg-pilot-users"
            }
        }
    }
}

Update-MgPolicyAuthenticationMethodPolicyAuthenticationMethodConfiguration -AuthenticationMethodConfigurationId "MicrosoftAuthenticator" -BodyParameter $policy

Verification: Test users should be able to register FIDO2 keys or passkeys at myaccount.microsoft.com under Security info. Confirm registration completes without errors.

05

Create Conditional Access Policy for Phishing-Resistant MFA

Implement a Conditional Access policy that requires phishing-resistant MFA for users in the recovery-enabled groups, ensuring no weak authentication fallbacks are available.

Navigate to Protection > Conditional Access > New policy:

{
  "displayName": "Require Phishing-Resistant MFA - Recovery Users",
  "state": "enabled",
  "conditions": {
    "users": {
      "includeGroups": ["sg-pilot-users"],
      "excludeGroups": ["sg-break-glass-admins"]
    },
    "applications": {
      "includeApplications": ["All"]
    },
    "locations": {
      "includeLocations": ["All"]
    }
  },
  "grantControls": {
    "operator": "AND",
    "builtInControls": ["mfa"],
    "authenticationStrength": {
      "id": "00000000-0000-0000-0000-000000000004",
      "displayName": "Phishing-resistant MFA"
    }
  },
  "sessionControls": {
    "signInFrequency": {
      "value": 1,
      "type": "days",
      "isEnabled": true
    }
  }
}

Create the policy using PowerShell:

# Create Conditional Access policy via Graph API
$policyParams = @{
    displayName = "Require Phishing-Resistant MFA - Recovery Users"
    state = "enabled"
    conditions = @{
        users = @{
            includeGroups = @("your-pilot-group-id")
            excludeGroups = @("your-breakglass-group-id")
        }
        applications = @{
            includeApplications = @("All")
        }
    }
    grantControls = @{
        operator = "AND"
        authenticationStrength = @{
            id = "00000000-0000-0000-0000-000000000004"
        }
    }
}

New-MgIdentityConditionalAccessPolicy -BodyParameter $policyParams
Warning: Test this policy thoroughly before applying to production users. A misconfigured policy can lock out all users, including administrators.

Verification: Sign in as a test user and confirm that only FIDO2/passkey authentication methods are accepted. SMS and other legacy methods should be blocked.

06

Configure Break-Glass Emergency Access

Set up emergency break-glass accounts that can bypass the phishing-resistant requirements to prevent complete tenant lockout scenarios.

Create dedicated break-glass accounts:

# Create break-glass admin accounts
$breakGlassUser1 = @{
    displayName = "Break Glass Admin 01"
    userPrincipalName = "breakglass01@yourdomain.com"
    mailNickname = "breakglass01"
    passwordProfile = @{
        forceChangePasswordNextSignIn = $false
        password = "ComplexPassword123!"
    }
    accountEnabled = $true
}

$breakGlassUser2 = @{
    displayName = "Break Glass Admin 02"
    userPrincipalName = "breakglass02@yourdomain.com"
    mailNickname = "breakglass02"
    passwordProfile = @{
        forceChangePasswordNextSignIn = $false
        password = "ComplexPassword456!"
    }
    accountEnabled = $true
}

New-MgUser -BodyParameter $breakGlassUser1
New-MgUser -BodyParameter $breakGlassUser2

Assign Global Administrator roles and configure exclusions:

# Assign Global Admin role to break-glass accounts
$globalAdminRole = Get-MgDirectoryRole | Where-Object {$_.DisplayName -eq "Global Administrator"}

# Add break-glass users to Global Admin role
New-MgDirectoryRoleMemberByRef -DirectoryRoleId $globalAdminRole.Id -OdataId "https://graph.microsoft.com/v1.0/users/breakglass01@yourdomain.com"
New-MgDirectoryRoleMemberByRef -DirectoryRoleId $globalAdminRole.Id -OdataId "https://graph.microsoft.com/v1.0/users/breakglass02@yourdomain.com"

Create a security group for break-glass accounts and exclude them from all MFA and recovery policies:

  • Group name: "sg-break-glass-admins"
  • Add both break-glass accounts as members
  • Exclude this group from all Conditional Access policies
  • Exclude from account recovery profiles
Pro tip: Store break-glass account credentials in a secure physical location (safe, sealed envelope) and test them monthly. Document the emergency access procedure for your security team.

Verification: Test that break-glass accounts can sign in without MFA requirements and have full administrative access to reverse any policy changes.

07

Test End-User Recovery Flow

Validate the complete account recovery process from an end-user perspective to ensure the Face Check and government ID verification works correctly.

Simulate a locked-out user scenario:

  1. Sign in as a test user and trigger account lockout (multiple failed password attempts)
  2. Navigate to myaccount.microsoft.com
  3. Click "Can't access your account?" or "Recover account"
  4. Select "I forgot my password" option

The recovery flow should present these steps:

# Expected Recovery Flow
step_1: "Identity Verification Required"
  - Upload government-issued ID document
  - Supported formats: JPG, PNG, PDF
  - File size limit: 10MB

step_2: "Live Face Check"
  - Position face in camera frame
  - Follow on-screen instructions
  - Biometric matching against ID photo

step_3: "Verification Processing"
  - IDV provider validates document
  - Face Check comparison completed
  - Zero-knowledge proof generated

step_4: "Access Restored"
  - Account unlocked automatically
  - Redirect to password reset
  - Register new phishing-resistant MFA

Monitor the recovery process in real-time:

# Monitor recovery events via Graph API
$recoveryEvents = Get-MgAuditLogSignIn -Filter "createdDateTime ge 2026-05-12T00:00:00Z and status/errorCode eq 0 and authenticationDetails/any(x:x/authenticationMethod eq 'Identity Verification')" -Top 50

$recoveryEvents | Select-Object createdDateTime, userPrincipalName, @{Name='RecoveryMethod';Expression={$_.authenticationDetails | Where-Object {$_.authenticationMethod -eq 'Identity Verification'}}}
Warning: The Face Check process requires good lighting and a stable internet connection. Users should be in a well-lit area with the camera at eye level for best results.

Verification: The entire recovery process should complete in 2-3 minutes. Check that the user can access their account and is prompted to register new MFA methods. Review audit logs to confirm the recovery was logged with "Identity Verification" authentication method.

08

Monitor and Audit Recovery Activities

Set up comprehensive monitoring and alerting for account recovery activities to detect potential security incidents and ensure compliance.

Configure Azure Monitor alerts for recovery events:

{
  "name": "Account Recovery Alert",
  "description": "Alert on account recovery using Face Check",
  "severity": 2,
  "enabled": true,
  "scopes": ["/subscriptions/your-subscription-id"],
  "condition": {
    "allOf": [
      {
        "field": "category",
        "equals": "SignInLogs"
      },
      {
        "field": "operationName",
        "equals": "Account Recovery"
      },
      {
        "field": "properties.authenticationDetails",
        "contains": "Identity Verification"
      }
    ]
  },
  "actions": {
    "actionGroups": ["/subscriptions/your-subscription-id/resourceGroups/rg-security/providers/microsoft.insights/actionGroups/ag-security-team"]
  }
}

Create a custom KQL query for detailed recovery analytics:

// Account Recovery Analytics Query
SigninLogs
| where TimeGenerated >= ago(30d)
| where AuthenticationDetails has "Identity Verification"
| extend RecoveryMethod = tostring(parse_json(AuthenticationDetails)[0].authenticationMethod)
| extend IDVProvider = tostring(parse_json(AuthenticationDetails)[0].authenticationStepRequirement)
| project TimeGenerated, UserPrincipalName, IPAddress, Location, RecoveryMethod, IDVProvider, ResultType, ResultDescription
| where ResultType == 0  // Successful recoveries
| summarize RecoveryCount = count(), 
           UniqueUsers = dcount(UserPrincipalName),
           SuccessRate = countif(ResultType == 0) * 100.0 / count()
           by bin(TimeGenerated, 1d)
| order by TimeGenerated desc

Set up automated compliance reporting:

# PowerShell script for weekly recovery report
$startDate = (Get-Date).AddDays(-7)
$endDate = Get-Date

$recoveryReport = Get-MgAuditLogSignIn -Filter "createdDateTime ge $($startDate.ToString('yyyy-MM-ddTHH:mm:ssZ')) and authenticationDetails/any(x:x/authenticationMethod eq 'Identity Verification')" -All

$report = $recoveryReport | Group-Object {$_.CreatedDateTime.Date} | ForEach-Object {
    [PSCustomObject]@{
        Date = $_.Name
        TotalRecoveries = $_.Count
        SuccessfulRecoveries = ($_.Group | Where-Object {$_.Status.ErrorCode -eq 0}).Count
        FailedRecoveries = ($_.Group | Where-Object {$_.Status.ErrorCode -ne 0}).Count
        UniqueUsers = ($_.Group | Select-Object -Unique UserPrincipalName).Count
    }
}

$report | Export-Csv "AccountRecoveryReport_$(Get-Date -Format 'yyyyMMdd').csv" -NoTypeInformation
Pro tip: Set up a dedicated Log Analytics workspace for security events and configure data retention based on your compliance requirements. Most organizations need 90+ days for security incident investigation.

Verification: Trigger a test recovery and confirm that alerts fire correctly and the event appears in your monitoring dashboard within 5 minutes. Verify that the KQL query returns accurate recovery statistics.

Frequently Asked Questions

What licensing is required for Microsoft Entra Face Check account recovery?+
You need Microsoft Entra ID P2 or Entra Suite licensing to access the account recovery feature. Microsoft Entra Verified ID is also required but offers a free tier during the preview period. The Face Check functionality integrates with IDV providers through the Microsoft Security Store, which may have additional costs depending on usage volume and verification requirements.
How long does the Face Check account recovery process take for end users?+
The complete recovery process typically takes 2-3 minutes from start to finish. This includes uploading the government ID document, completing the live Face Check verification, and automatic account unlock. Processing time may vary slightly depending on the IDV provider and document quality, but the system is designed for rapid verification to minimize user downtime.
What happens if Face Check verification fails during account recovery?+
If Face Check fails, users can retry the process up to three times with improved lighting and camera positioning. After three failed attempts, the system requires a 24-hour cooling-off period before allowing additional attempts. During this time, users must contact IT support for manual account recovery. The system logs all failed attempts for security monitoring and potential fraud detection.
Can Microsoft Entra Face Check work with existing FIDO2 security keys?+
Yes, Face Check integrates seamlessly with FIDO2 security keys and platform authenticators like Windows Hello and Touch ID. The recovery system can restore access to users who have lost their physical security keys or cannot access their biometric authenticators. Once recovery is complete, users can re-register their FIDO2 devices and continue using phishing-resistant authentication methods.
What government ID documents are supported by Microsoft Entra Face Check?+
Supported documents include driver's licenses, passports, and national ID cards from most countries. The specific list depends on your chosen IDV provider in the Microsoft Security Store. Documents must be current, clearly readable, and contain a photo for biometric matching. The system supports JPG, PNG, and PDF formats with a maximum file size of 10MB per document upload.
Tags
#microsoft-entra#phishing-resistant#biometric-authentication

Further Intelligence

Deepen your knowledge with related resources

How to Enable Alphanumeric Device Password Requirements Using Microsoft Intune
tutorial
Cybersecurity

How to Enable Alphanumeric Device Password Requirements Using Microsoft Intune

Deep Dive
How to Configure Microsoft Entra Face Check for Phishing-Resistant Recovery
tutorial
Cybersecurity

How to Configure Microsoft Entra Face Check for Phishing-Resistant Recovery

Deep Dive
How to Enable Print Spooler Redirection Guard Using Microsoft Intune
tutorial
Cybersecurity

How to Enable Print Spooler Redirection Guard Using Microsoft Intune

Deep Dive

Discussion

Share your thoughts and insights

Sign in to join the discussion

Sign inCreate account