Forum Discussion

KingBear's avatar
KingBear
Copper Contributor
May 24, 2022

CBA, MFA, and AADSTS54008 Certificate is not supported as first factor

Greetings All,   I'm trying to get CBA MFA working for Azure AD, exchange online specifically, but I can't get past the following error:  AADSTS54008:  Multi-Factor authentication is required and t...
Azure Active Directory (AAD)
MFA
SjoerdV's avatar
SjoerdV
Iron Contributor
Mar 24, 2023
Yes I got it to work with CBA as a single factor, but as soon as I try to
a) enforce MFA (through CA) or
b) use CBA as a multi factor method (in CBA settings)
the login process breaks with "Multifactor authentication is required and the credential used is not supported. Try signing in with another method."

What I just want to achieve is:
- User logs in with username
- CBA is selected as first factor (user selects the certificate configured)
- Authenticator App is used as second factor (user types in the numbers at the prompt)

If you (or anyone else) have a way to get this to work, I am very interested;-)
SjoerdV's avatar
SjoerdV
Iron Contributor
Mar 24, 2023
Ah, finally got it to work. But just the other way around:
- User logs in with username
- Authenticator App is used as first factor (because passwordless is selected) (user types in the numbers at the prompt)
- CBA is selected as second factor (user selects the certificate configured)

In my setup CBA is configured with 'multi factor' as protection level

CA has two rules:
- one regular 'MFA required' (just like always)
- a second one (new policy!) requiring 'phishing resistant MFA' with 'Require authentication strength (Preview)' grant

That's Great!
  • SjoerdV's avatar
    SjoerdV
    Iron Contributor
    Mar 28, 2023

    manshellstromOK, that is probably part of a road that could be taken. I do think for 'complete' E2E browsing security to be in place it should be covered on both server AND client sides.

     

    The 'CA token protection' you mentioned is a server side feature, as the token needs to be validated and processed accordingly (by MS servers) to make a difference. It also (at the moment) has a lot of limitations, amongst which is cross-platform compatibility.

     

    Browser makers (including Edge!) should not neglect their responsibility here and make their client side, in-rest/in-transit cookie/token handling more secure. As browsers always have access to their host system (or sandbox) a unique key can always be derived from such system on the fly, so the private keys used to decrypt an encrypted cookie DB (loaded into volatile memory) wouldn't even have to be stored locally.

    Instant security with cross-platform compatibility to boot! Any browser should have this IMHO.

  • manshellstrom's avatar
    manshellstrom
    Copper Contributor
    Mar 27, 2023

    SjoerdV have a look at CA token protection, this function will create a relationship between the token and device.

    https://learn.microsoft.com/en-us/azure/active-directory/conditional-access/concept-token-protection

  • SjoerdV's avatar
    SjoerdV
    Iron Contributor
    Mar 27, 2023
    Great stuff! I Really like the flexibility of this system.

    To top it of I also use a 'Location based' CA rule, so even when my full browser profile gets hijacked (including session tokens) it won't work, off my private network.

    Still I would like to see browsers encrypting their cookie database with some machine specific key, to make the cookies not work if they are used on a different machine. It feels very strange this massive security hole has gone unplugged for so long...

    Cheers!
  • SeadS's avatar
    SeadS
    Copper Contributor
    Mar 25, 2023
    i have configured cba as single factor,in policies mutlifactor authenticstion as passwordless and in my ios configured authenticstor for phone sign in.
    This way it worked first cba snd than numner matching from passwordless sign in 🙂

Resources