Forum Discussion

RGFUK's avatar
RGFUK
Copper Contributor
Oct 19, 2021

PIM role activation but only with FIDO2-based MFA?

Hi there,   It's currently possible to define an authentication method policy so that FIDO2 security keys can only be used by a select number of users or groups (that is, in the Azure portal under ...
Authentication
Identity Management
MFA
ChristianJBergstrom's avatar
ChristianJBergstrom
MVP
Oct 19, 2021

RGFUK Interesting question. The enabling of PIM and requiring MFA for activation calls for Azure MFA which is configured by you the admin, i.e. the options under Service settings Which in turn are also the options being available to you in the security info drop-down you're referring to. I don't work setting up PIM as a feature (must have that said) but AFAIK you cannot separate MFA with "must use authenticator app here and must use FIDO2 here".

 

FIDO2 satisfies MFA while not being supported as a true second factor. With that in mind you should be able to use FIDO2 as the verification method (hardware token) when enabling a PIM role and requiring Azure MFA as both Authenticator app and FIDO2 are used for sign-in and strong authentication.

 

Let me know how it goes!

Resources