Forum Discussion
I am also interested in securing PIM with a HW key but not necessarily requiring it to log into Azure Portal. Did you have any success with that? Thanks
- RGFUKMar 25, 2023Copper Contributor
Ondrej_Hlavacek
This is possible now by creating an authentication context, called for example "Require FIDO2 security key", and then making the authn context a condition of a conditional access policy.Another possibility is to use authentication strength as a requirement under the grant section of the policy. That allows you to choose phishing-resistant MFA, which would include a hardware key.
See for example the blogs written by Kaido Jarvemets or Kenneth van Surksum:
https://www.kaidojarvemets.com/better-together-azure-active-directory-privileged-identity-management-and-authentication-context/
https://www.vansurksum.com/2023/02/20/azure-ad-conditional-access-authentication-context-now-also-available-for-azure-ad-privileged-identity-management/