Forum Discussion

KingBear's avatar
KingBear
Copper Contributor
May 24, 2022

CBA, MFA, and AADSTS54008 Certificate is not supported as first factor

Greetings All,   I'm trying to get CBA MFA working for Azure AD, exchange online specifically, but I can't get past the following error:  AADSTS54008:  Multi-Factor authentication is required and t...
Azure Active Directory (AAD)
MFA
mikey365's avatar
mikey365
Brass Contributor
Aug 23, 2022
It can be used as a single factor, and I have tested that successfully. As I said, MFA needs to be disabled on the user account and on any Conditional Access Policies. For these users I'm disabling password and other authentication methods.
SjoerdV's avatar
SjoerdV
Iron Contributor
Oct 12, 2022

mikey365: "Currently, password can't be disabled when CBA is enabled and the option to sign in using a password is displayed.": https://learn.microsoft.com/en-us/azure/active-directory/authentication/concept-certificate-based-authentication-limitations -> So your suggestion can not be done at the moment. Would be the end game though in my view.

It's like jroth710 says: "They are ignoring the most obvious and beneficial use case -- eliminating the use of a password while still enforcing another factor of security."

When you go to the Azure Portal, you can now add authentication strengths policies: https://portal.azure.com/#view/Microsoft_AAD_IAM/AuthenticationMethodsMenuBlade/~/AuthStrengths. What we need is the "Certificate Based Authentication (Single Factor) + Microsoft Authenticator (Push Notification)" combination under 'Multifactor authentication'. I'll keep hoping

  • SjoerdV's avatar
    SjoerdV
    Iron Contributor
    Mar 28, 2023

    manshellstromOK, that is probably part of a road that could be taken. I do think for 'complete' E2E browsing security to be in place it should be covered on both server AND client sides.

     

    The 'CA token protection' you mentioned is a server side feature, as the token needs to be validated and processed accordingly (by MS servers) to make a difference. It also (at the moment) has a lot of limitations, amongst which is cross-platform compatibility.

     

    Browser makers (including Edge!) should not neglect their responsibility here and make their client side, in-rest/in-transit cookie/token handling more secure. As browsers always have access to their host system (or sandbox) a unique key can always be derived from such system on the fly, so the private keys used to decrypt an encrypted cookie DB (loaded into volatile memory) wouldn't even have to be stored locally.

    Instant security with cross-platform compatibility to boot! Any browser should have this IMHO.

  • manshellstrom's avatar
    manshellstrom
    Copper Contributor
    Mar 27, 2023

    SjoerdV have a look at CA token protection, this function will create a relationship between the token and device.

    https://learn.microsoft.com/en-us/azure/active-directory/conditional-access/concept-token-protection

  • SjoerdV's avatar
    SjoerdV
    Iron Contributor
    Mar 27, 2023
    Great stuff! I Really like the flexibility of this system.

    To top it of I also use a 'Location based' CA rule, so even when my full browser profile gets hijacked (including session tokens) it won't work, off my private network.

    Still I would like to see browsers encrypting their cookie database with some machine specific key, to make the cookies not work if they are used on a different machine. It feels very strange this massive security hole has gone unplugged for so long...

    Cheers!
  • SeadS's avatar
    SeadS
    Copper Contributor
    Mar 25, 2023
    i have configured cba as single factor,in policies mutlifactor authenticstion as passwordless and in my ios configured authenticstor for phone sign in.
    This way it worked first cba snd than numner matching from passwordless sign in 🙂
  • SjoerdV's avatar
    SjoerdV
    Iron Contributor
    Mar 24, 2023
    Ah, finally got it to work. But just the other way around:
    - User logs in with username
    - Authenticator App is used as first factor (because passwordless is selected) (user types in the numbers at the prompt)
    - CBA is selected as second factor (user selects the certificate configured)

    In my setup CBA is configured with 'multi factor' as protection level

    CA has two rules:
    - one regular 'MFA required' (just like always)
    - a second one (new policy!) requiring 'phishing resistant MFA' with 'Require authentication strength (Preview)' grant

    That's Great!
  • SjoerdV's avatar
    SjoerdV
    Iron Contributor
    Mar 24, 2023
    Yes I got it to work with CBA as a single factor, but as soon as I try to
    a) enforce MFA (through CA) or
    b) use CBA as a multi factor method (in CBA settings)
    the login process breaks with "Multifactor authentication is required and the credential used is not supported. Try signing in with another method."

    What I just want to achieve is:
    - User logs in with username
    - CBA is selected as first factor (user selects the certificate configured)
    - Authenticator App is used as second factor (user types in the numbers at the prompt)

    If you (or anyone else) have a way to get this to work, I am very interested;-)
  • mikey365's avatar
    mikey365
    Brass Contributor
    Mar 15, 2023
    SjoerdV It can be done. I do it now for a handful of users. SmartCardLogin Required is enforced in AD, and the cert auth method is assigned to the user. What that message is saying is "password" will still be a visible sign in option for the user, but all they have to do is click "other ways to sign in" and then click certificate...

Resources