Forum Discussion
Use FIDO2 as MFA token
- Sep 28, 2021luvsql Hello again, I had to try it using security defaults as I'm pretty sure you're using that. You have no Intune, Conditional access or MFA registration policy in your subscriptions. So, when simply using security defaults with enforced MFA you get the prompt to add security info/details, and can skip this for 14 days. When enabling the Temporary Access Pass policy and activating that for a newly created user in Azure AD it instead becomes the first prompt. This is how it looks like and takes you to https://aka.ms/mysecurityinfo page where one can configure additional options, such as the security key. I could not proceed as I do not have a key to put in the laptop. *My reply is being updated as you can actually use TAP to add a security key (as the pictures show) with security defaults. For the sake of it I even asked Microsoft who verified the method. To wrap up the above. 1. Enable security defaults. 2. Enable TAP and assign to user. 3. User logs in using TAP and adds FIDO2 key. 4. Next sign-in when prompted for MFA user uses FIDO2 key (as FIDO2 satisfies MFA). 
luvsql I think I need more detailed information. What subscription do you have today? AAD P1 using CA or simply Security defaults with enforced MFA for all users? Intune and enrollment involved? What registration policy do you refer to? Can't be the MFA registration policy at least as that part of AAD P2.
The TAP is for the FIDO2 scenarios as yours making it possible to add a key to the dropdown, where it's missing right now. FIDO2 satisfy MFA but cannot be used as a second factor (at least not yet as far as I know).
Give it a try?
Temporary Access Pass is now in public preview - Microsoft Tech Community
- luvsqlSep 28, 2021Iron ContributorHi Christian, 
 Our user base comprises of mostly Microsoft 365 Business Standard and some Office 365 E3 licenses, which gives us the Azure AD that we use now. I know it's limited as it pertains to Domain policies, but it's still allowing us to secure with MFA etc.
 We do have many users with corporate cellphones with MFA and the authenticator app and it works well, however, we do have 20% of our Employees that do not have a corporately paid cellphone (nor a desk phone) and they do not want to use for authentication (and we can't force them to). We have to pre-configure new Employees ahead of time and am trying to find a solution for these types of users that we can't use the standard authentication methods with.
 When we setup a new user in Azure AD directly, there is a default policy (Security > MFA Registration Policy) that is forcing a newly authenticated laptop to setup MFA and the FIDO2 is not an option since that's setup in a different area and is linked to the passwordless feature.
 We can't disable this policy for some reason (even though it says "This view is for Azure AD Premium P2 customers to setup MFA registration policy. Other customers can only disable policies here.") so am trying to find a workaround. There is no option to disable. If we disabled this registration policy then we skip right to the FIDO2 passwordless. As soon as you reboot after authenticating a device the MFA pops up.- Sep 28, 2021luvsql Hello again, I had to try it using security defaults as I'm pretty sure you're using that. You have no Intune, Conditional access or MFA registration policy in your subscriptions. So, when simply using security defaults with enforced MFA you get the prompt to add security info/details, and can skip this for 14 days. When enabling the Temporary Access Pass policy and activating that for a newly created user in Azure AD it instead becomes the first prompt. This is how it looks like and takes you to https://aka.ms/mysecurityinfo page where one can configure additional options, such as the security key. I could not proceed as I do not have a key to put in the laptop. *My reply is being updated as you can actually use TAP to add a security key (as the pictures show) with security defaults. For the sake of it I even asked Microsoft who verified the method. To wrap up the above. 1. Enable security defaults. 2. Enable TAP and assign to user. 3. User logs in using TAP and adds FIDO2 key. 4. Next sign-in when prompted for MFA user uses FIDO2 key (as FIDO2 satisfies MFA). - luvsqlSep 28, 2021Iron ContributorOkay good to know. If we go this route and get everything setup with a laptop that has the key connected as a USB, what happens when the user needs to access their email or an office app on a tablet that doesn't have USB? Will this then only allow authentication on a device with USB?