Forum Discussion
Solved
Intune - Phishing-Resistant MFA
Good Afternoon,
So sorry but I'm quite novice. I am trying to merge all Intune users to phishing-resistant MFA (PR-MFA) only (excluding break-the-glass users/admins). On Entra, I do this by disabling Microsoft-Managed MFA and setting a new authentication strength with all three (PR-MFA) modalities selected as the only allowable MFA. Then, I set a conditional access policy to grant all users to access all resources only if they have PR-MFA registered, because I don't want them to use other MFA like SMS.
This makes all existing users switch over and disables weaker methods (like text messages), but I can't onboard new users. I reviewed the log for a test user who I could not register, and I saw that the issue is that during registration, the passkey must already exist BEFORE the new user can set up a passkey or other PR-MFA method, which is impossible.
Is there a way to let Intune use just the new user's password alone for initial PR-MFA registration?
The keyword for this is Temporary Access Pass. You create the policy under:
Entra ID → Protection → Authentication Methods → Temporary Access Pass.For a new user, go to:
Entra ID → Users → All Users, select the "new" user, and click on Authentication Methods + Add Authentication Method, then choose Temporary Access Pass. Share this pass with the user.Using a Temporary Access Pass
Typically, a user registers authentication methods during their first sign-in. The Temporary Access Pass is perfect for setting up or updating multifactor, passwordless, or phishing-resistant authentication without requiring additional security prompts.
Registering Authentication Methods
Authentication methods can be registered at https://aka.ms/mysecurityinfo. Users can also update existing authentication methods here.
After a successful sign-in, the user can now register or update passwordless authentication methods, such as FIDO2 security keys or the Microsoft Authenticator app.
https://techcommunity.microsoft.com/blog/identity/secure-authentication-method-provisioning-with-temporary-access-pass/3290631
The keyword for this is Temporary Access Pass. You create the policy under:
Entra ID → Protection → Authentication Methods → Temporary Access Pass.For a new user, go to:
Entra ID → Users → All Users, select the "new" user, and click on Authentication Methods + Add Authentication Method, then choose Temporary Access Pass. Share this pass with the user.Using a Temporary Access Pass
Typically, a user registers authentication methods during their first sign-in. The Temporary Access Pass is perfect for setting up or updating multifactor, passwordless, or phishing-resistant authentication without requiring additional security prompts.
Registering Authentication Methods
Authentication methods can be registered at https://aka.ms/mysecurityinfo. Users can also update existing authentication methods here.
After a successful sign-in, the user can now register or update passwordless authentication methods, such as FIDO2 security keys or the Microsoft Authenticator app.
https://techcommunity.microsoft.com/blog/identity/secure-authentication-method-provisioning-with-temporary-access-pass/3290631Thanks that worked. I read the documentation on it and saw there isn't really a way to do it from phone app so make sure user logs in from computer on first time and scans QR code with authenticator app to setup passkey using TAP rather than first time login from app itself. Make sure TAP isn't one time only.
