Forum Discussion
Solved
Secure Registration and TAP with a password-less CA baseline
Hi All, I've been looking further at password-less in an Azure AD tenant and if it can be set as a baseline CA requirement for access to tenant resources. Access via CA policies appears to work ...
- If you enforce Passwordless (authentication strength) as you've noticed you might need to add TAP as an additional method in that policy. Let's consider the scenario: existing user, new phone.
It's a bit clunky today since you will need TAP for getting the user into Security Info first (to register method), and then provide TAP yet again when you "Enable Phone-Sign in" in the new mobile. You could use the same TAP there if you set it to not require one-time use and then scope it to 1 hour for example. I have an example authenticator scenario you can compare with: https://simonhakansson.com/passwordless-authenticator-configuration-ddb0fa70d32f
Keep in mind that TAP is considered stronger than the other available MFA methods (https://learn.microsoft.com/en-us/azure/active-directory/authentication/concept-system-preferred-multifactor-authentication#how-does-system-preferred-mfa-determine-the-most-secure-method) , so it should be handled with care.
I expect the Passwordless registration-flow to become a bit more user friendly in the future, ideally you would want "Enable Phone-sign in" to be automatic in some way, at least for MDM-enrolled phones in my opinion.
Getting closer:
To keep passwordless baseline and include TAP i can create a cutom security strength and include TAP. If I also add the Grant control of require hybrid join, a new account can enrol into the authenticator, an account with a lost authenticator can also re-enroll through a hybrid device.
However, enable phone sign-in still dies in the app where it requests TAP to meet the baseline to register the device (Fine for onboarding a new user - issue at scale for existing users).
Would like to hear how others are solving this to go passwordless.