Forum Discussion
CBA, MFA, and AADSTS54008 Certificate is not supported as first factor
Did you sort this out?
I encounter the same error in my test tenant, the user certificate is successfully mapped to my user.
If I switch the protection level over to "multifactor authentication" I get signed in without MFA prompt.
When I attempt to sign in with the protection level set to "single-factor authentication", sign-in fails with the error AADSTS54008: Multi-Factor authentication is required and the credential used (Certificate) is not supported as a First Factor. Contact your administrator for more information.
You ever figure this out? I am having the same issue. I only want the cert to be used as a single factor, and have the toggle and issuer rule set as such. I have no policy oid rule for MFA. When entering upn, I choose log in with a certificate, and get the same error you cited. My expectation is that the cert replaces password, and the user will require mfa through their default method, which is authenticator app.
FYI it is misleading, but if you look at the Microsoft documentation on CBA, the only way to do MFA with a cert is to add a Policy O.I.D rule that checks for a value in your cert. The cert then acts as the first factor and second factor. There seems to be no other MFA options supported with CBA yet.
So you're saying that limiting its use to "single factor" implies having to have MFA disabled entirely for the user, while enabling it for "multi-factor" basically makes this the equivalent of a FIDO key, minus the hardware security and pin? It simply can't be configured as the equivalent of any other form of single factor, so some other factor is needed to go along with it in order to authenticate? If so, that's pretty weak..
I guess this part of the documentation made me think otherwise-- thinking the experience would be cert replaces password, then the user can choose from mobile app, passcode, fido key, etc as a 2nd factor..
"If a unique user is found and the user has a conditional access policy and needs multifactor authentication (MFA) and the certificate authentication binding rule satisfies MFA, then Azure AD signs the user in immediately. If the certificate satisfies only a single factor, then it requests the user for a second factor to complete Azure AD Multi-Factor Authentication."
https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-certificate-based-authentication-technical-deep-dive
No, and my best guess is that the service is broken.
You and I are reaching for the exact same functionality, but it seems you can't get this working without a certificate policy that can be mapped in the configuration.
We'are also missing the posibility to use OCSP in favor of CRL.
manshellstrom Yes sir. The settings below work as desired for my tenant.
Be sure to check that you don't have any of policies in your tenant that may be conflicting.
