Forum Discussion
Intune - Phishing-Resistant MFA
Good Afternoon,
So sorry but I'm quite novice. I am trying to merge all Intune users to phishing-resistant MFA (PR-MFA) only (excluding break-the-glass users/admins). On Entra, I do this by disabling Microsoft-Managed MFA and setting a new authentication strength with all three (PR-MFA) modalities selected as the only allowable MFA. Then, I set a conditional access policy to grant all users to access all resources only if they have PR-MFA registered, because I don't want them to use other MFA like SMS.
This makes all existing users switch over and disables weaker methods (like text messages), but I can't onboard new users. I reviewed the log for a test user who I could not register, and I saw that the issue is that during registration, the passkey must already exist BEFORE the new user can set up a passkey or other PR-MFA method, which is impossible.
Is there a way to let Intune use just the new user's password alone for initial PR-MFA registration?
The keyword for this is Temporary Access Pass. You create the policy under:
Entra ID → Protection → Authentication Methods → Temporary Access Pass.For a new user, go to:
Entra ID → Users → All Users, select the "new" user, and click on Authentication Methods + Add Authentication Method, then choose Temporary Access Pass. Share this pass with the user.Using a Temporary Access Pass
Typically, a user registers authentication methods during their first sign-in. The Temporary Access Pass is perfect for setting up or updating multifactor, passwordless, or phishing-resistant authentication without requiring additional security prompts.
Registering Authentication Methods
Authentication methods can be registered at https://aka.ms/mysecurityinfo. Users can also update existing authentication methods here.
After a successful sign-in, the user can now register or update passwordless authentication methods, such as FIDO2 security keys or the Microsoft Authenticator app.
https://techcommunity.microsoft.com/blog/identity/secure-authentication-method-provisioning-with-temporary-access-pass/3290631
The keyword for this is Temporary Access Pass. You create the policy under:
Entra ID → Protection → Authentication Methods → Temporary Access Pass.For a new user, go to:
Entra ID → Users → All Users, select the "new" user, and click on Authentication Methods + Add Authentication Method, then choose Temporary Access Pass. Share this pass with the user.Using a Temporary Access Pass
Typically, a user registers authentication methods during their first sign-in. The Temporary Access Pass is perfect for setting up or updating multifactor, passwordless, or phishing-resistant authentication without requiring additional security prompts.
Registering Authentication Methods
Authentication methods can be registered at https://aka.ms/mysecurityinfo. Users can also update existing authentication methods here.
After a successful sign-in, the user can now register or update passwordless authentication methods, such as FIDO2 security keys or the Microsoft Authenticator app.
https://techcommunity.microsoft.com/blog/identity/secure-authentication-method-provisioning-with-temporary-access-pass/3290631
