Forum Discussion

Iron Contributor

Sep 28, 2021

Solved

Use FIDO2 as MFA token

We are trying to replace the need to have a phone number (cellphone or office phone or authenticator app) for many of our users that refuse to use a personal phone for authentication. This is also f...

Azure Active Directory (AAD)

ChristianJBergstrom
Sep 28, 2021
luvsql Hello again, I had to try it using security defaults as I'm pretty sure you're using that. You have no Intune, Conditional access or MFA registration policy in your subscriptions.

So, when simply using security defaults with enforced MFA you get the prompt to add security info/details, and can skip this for 14 days. When enabling the Temporary Access Pass policy and activating that for a newly created user in Azure AD it instead becomes the first prompt.

This is how it looks like and takes you to https://aka.ms/mysecurityinfo page where one can configure additional options, such as the security key. I could not proceed as I do not have a key to put in the laptop.

*My reply is being updated as you can actually use TAP to add a security key (as the pictures show) with security defaults. For the sake of it I even asked Microsoft who verified the method.

To wrap up the above.

1. Enable security defaults.

2. Enable TAP and assign to user.

3. User logs in using TAP and adds FIDO2 key.

4. Next sign-in when prompted for MFA user uses FIDO2 key (as FIDO2 satisfies MFA).

JonasBack

Iron Contributor

Sep 29, 2021

Just a tought, may not be a pretty one but instead of FIDO2 USB key, have you considered buying them the cheapest Android phone just for Authenticator? They don't even need a cell phone subscription since they can do fine with WiFi or even without it after registration and use the 30 seconds rolling random number.

luvsql
Iron Contributor
Sep 29, 2021
A cheap Android phone comes with a monthly contract of a minimum of $30 per month in Canada so that's $720 per Employee for each contract with the carrier.
- Jack_Chen1780
  Brass Contributor
  Sep 29, 2021
  If it's just for authentication, then as long as you can install Microsoft Authenticator, you don't need any mobile/data plan?
  Since Microsoft Authenticator can work on WIFI for Push notification; and when there is no Internet, you can use OTP.
  
  There is another mystery for me for Azure AD license. The document seems indicate if you don't have a P1 license, then the only option to allow MFA for none-admin user is to use "security defaults". But my test shows even without Premium license, I can still enable MFA per user bases. The only difference is the user without Premium license can only use Microsoft Authenticator for MFA, they can't use SMS/phone call options.
  - ChristianJBergstrom
    MVP
    Sep 29, 2021
    That’s actually one way to go in this use case. You could turn off security defaults and use the legacy per-user MFA if there’s no way of upgrading to Business Premium. And check the Service settings tab for available methods.
    
    https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-userstates