Forum Discussion
Sebastian_Rottmann
Aug 09, 2022Copper Contributor
passwordless together with MFA
edit: was an issue using edge under linux which has now support for FIDO2 tokens. you need to use chrome, when login into azure using a linux client. Hi, we are running a CA which enforces MF...
- Sep 01, 2022solved. the problem was using edge with the FIDO2 token under linux. it is not supported yet. using chrome works fine. my problem is now, that intune for linux needs edge 😕
https://docs.microsoft.com/en-us/azure/active-directory/authentication/fido2-compatibility
Sebastian_Rottmann
Aug 10, 2022Copper Contributor
the problem is not the setup process. it works. but the user with the FIDO2 key cannot login, because our conditional access policy "MFA for all users" blocks the passwordless attempt.
here is the log, for our dummy user with FIDO2 token:
Date 9.8.2022, 20:38:08
Request ID 5483171c-9d37-4d24-b598-6121fc6d1100
Correlation ID ec77f33b-b442-4016-a768-6f6835d4b6cf
Authentication requirement Multifactor authentication
Status Interrupted
Continuous access evaluation No
Additional Details
User needs to perform multi-factor authentication. There could be multiple things requiring multi-factor, e.g. Conditional Access policies, per-user enforcement, requested by client, among others.
here is the log, for our dummy user with FIDO2 token:
Date 9.8.2022, 20:38:08
Request ID 5483171c-9d37-4d24-b598-6121fc6d1100
Correlation ID ec77f33b-b442-4016-a768-6f6835d4b6cf
Authentication requirement Multifactor authentication
Status Interrupted
Continuous access evaluation No
Additional Details
User needs to perform multi-factor authentication. There could be multiple things requiring multi-factor, e.g. Conditional Access policies, per-user enforcement, requested by client, among others.
Aug 10, 2022
Perhaps this guide will help https://janbakker.tech/use-a-fido2-security-key-as-azure-mfa-verification-method/
- Sebastian_RottmannAug 10, 2022Copper Contributorthat's basically exact what I did. but the collision comes, when the user authenticates with his FIDO2 key. the login got blocked, because the CA enforces ALL users to use MFA.
FIDO2 tokens do not count as such, obviously. So the user is forced to use his MS-authenticator on a phone. But the user doesnt have a phone to authenticate. The user wanted to use his FIDO2 token.- Sebastian_RottmannSep 01, 2022Copper Contributorsolved. the problem was using edge with the FIDO2 token under linux. it is not supported yet. using chrome works fine. my problem is now, that intune for linux needs edge 😕
https://docs.microsoft.com/en-us/azure/active-directory/authentication/fido2-compatibility