Forum Discussion
Use FIDO2 as MFA token
luvsql Hello again, I had to try it using security defaults as I'm pretty sure you're using that. You have no Intune, Conditional access or MFA registration policy in your subscriptions.
So, when simply using security defaults with enforced MFA you get the prompt to add security info/details, and can skip this for 14 days. When enabling the Temporary Access Pass policy and activating that for a newly created user in Azure AD it instead becomes the first prompt.
This is how it looks like and takes you to https://aka.ms/mysecurityinfo page where one can configure additional options, such as the security key. I could not proceed as I do not have a key to put in the laptop.
*My reply is being updated as you can actually use TAP to add a security key (as the pictures show) with security defaults. For the sake of it I even asked Microsoft who verified the method.
To wrap up the above.
1. Enable security defaults.
2. Enable TAP and assign to user.
3. User logs in using TAP and adds FIDO2 key.
4. Next sign-in when prompted for MFA user uses FIDO2 key (as FIDO2 satisfies MFA).
Since Microsoft Authenticator can work on WIFI for Push notification; and when there is no Internet, you can use OTP.
There is another mystery for me for Azure AD license. The document seems indicate if you don't have a P1 license, then the only option to allow MFA for none-admin user is to use "security defaults". But my test shows even without Premium license, I can still enable MFA per user bases. The only difference is the user without Premium license can only use Microsoft Authenticator for MFA, they can't use SMS/phone call options.
That’s actually one way to go in this use case. You could turn off security defaults and use the legacy per-user MFA if there’s no way of upgrading to Business Premium. And check the Service settings tab for available methods.
https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-userstates- We currently use MFA for 150 of our users. The issues we're having didn't come up until we created a new user in Azure (where our other users were sync'd from local AD) then authenticated that user to Azure AD on a new device vs local AD. We never found a solution for the users that don't have a cellphone until I was told in another thread about the FIDO2 keys, but that doesn't appear to be an option either.
Before we just didn't enforce MFA until after we had their devices setup as we only needed a password, but now in Azure, there is a Registration policy that prompts the MFA on laptop.luvsql So the discussion stops here ? Did you find your solutions? Did you un-select the password write back option within Azure. This also enforce the registration of a mobile number or installing the app.
For my knowlegde, if you have enable 1 p1 license within your tenent you have the option to do conditional access to enable modern MFA. This can also be a trial license. FIDO authentication works with the basis security license, so if you don't need conditional access it will work for al employees.
TAP works great with the OOBE, so if there is a new user and you grand him/her a TAP before the login the first time. The can login without registrating any MFA and than redirect this user to mysignins.microsoft.com/security-info to register there FIDO device.
If you have some bugs to spare you can always add a proper IAM profider. You will stil need the p1 license but than you can redirect the user to other provider (like Entrust) for a beter user experience when enrolling FIDO keys.
Last warning- Microsoft is telling, many years now, that you have to enable the p1 license to each user when you want to be compliant!
