Sep 28 2021 09:13 AM
Sep 28 2021 09:13 AM
We are trying to replace the need to have a phone number (cellphone or office phone or authenticator app) for many of our users that refuse to use a personal phone for authentication. This is also for those users we need to setup their PC ahead of time so will not have their personal cellphones with us to authenticate during all of the setup.
We do not have P2 licenses so I cannot see a way to disable the MFA during registration (ie after we authenticate the user to Azure AD it requires the setup).
We purchased a FIDO2 USB and have enabled it in Azure but that seems to only be for passwordless security and we're still getting prompted to setup MFA. There is no option in the MFA dropdown for FIDO2 so I'm clearly missing something.
For users that will not have cellphone to authenticate to, can we configure the user to override the registration policy and only use the FIDO2 USB key if we don't have a P2 license (the option to disable the policy is greyed out)?
If we have to use a P2, can we only upgrade our Global Admin accounts to set tenant wide settings or will we literally have to upgrade every user to a P2 (which will cost us an extra $25,000 a year and is way over kill for our needs)?
We want to be secure but we don't want to have to pay $25,000 to do so. We've not had this issue when we were AD Hybrid but that local server is being tossed when we move.
Sep 28 2021 10:19 AM
@Mercedes Green Hello, it sounds to me as if you should use the (preview) Temporary Access Pass feature.
Sep 28 2021 10:31 AM
Sep 28 2021 10:54 AM
@Mercedes Green I think I need more detailed information. What subscription do you have today? AAD P1 using CA or simply Security defaults with enforced MFA for all users? Intune and enrollment involved? What registration policy do you refer to? Can't be the MFA registration policy at least as that part of AAD P2.
The TAP is for the FIDO2 scenarios as yours making it possible to add a key to the dropdown, where it's missing right now. FIDO2 satisfy MFA but cannot be used as a second factor (at least not yet as far as I know).
Give it a try?
Sep 28 2021 11:03 AM - edited Sep 28 2021 11:05 AM
Our user base comprises of mostly Microsoft 365 Business Standard and some Office 365 E3 licenses, which gives us the Azure AD that we use now. I know it's limited as it pertains to Domain policies, but it's still allowing us to secure with MFA etc.
We do have many users with corporate cellphones with MFA and the authenticator app and it works well, however, we do have 20% of our Employees that do not have a corporately paid cellphone (nor a desk phone) and they do not want to use for authentication (and we can't force them to). We have to pre-configure new Employees ahead of time and am trying to find a solution for these types of users that we can't use the standard authentication methods with.
When we setup a new user in Azure AD directly, there is a default policy (Security > MFA Registration Policy) that is forcing a newly authenticated laptop to setup MFA and the FIDO2 is not an option since that's setup in a different area and is linked to the passwordless feature.
We can't disable this policy for some reason (even though it says "This view is for Azure AD Premium P2 customers to setup MFA registration policy. Other customers can only disable policies here.") so am trying to find a workaround. There is no option to disable. If we disabled this registration policy then we skip right to the FIDO2 passwordless. As soon as you reboot after authenticating a device the MFA pops up.
Sep 28 2021 01:05 PM - edited Oct 04 2021 05:19 AMSolution
So, when simply using security defaults with enforced MFA you get the prompt to add security info/details, and can skip this for 14 days. When enabling the Temporary Access Pass policy and activating that for a newly created user in Azure AD it instead becomes the first prompt.
This is how it looks like and takes you to https://aka.ms/mysecurityinfo page where one can configure additional options, such as the security key. I could not proceed as I do not have a key to put in the laptop.
*My reply is being updated as you can actually use TAP to add a security key (as the pictures show) with security defaults. For the sake of it I even asked Microsoft who verified the method.
To wrap up the above.
1. Enable security defaults.
2. Enable TAP and assign to user.
3. User logs in using TAP and adds FIDO2 key.
4. Next sign-in when prompted for MFA user uses FIDO2 key (as FIDO2 satisfies MFA).
Sep 28 2021 01:11 PM
Sep 28 2021 01:58 PM - edited Oct 04 2021 05:10 AM
@Mercedes Green When enabling security defaults, if having AAD Free for example, you're pushing MFA for all users. It's a great feature but not a flexible solution as you can only toggle on or off. To toggle off to onboard the few users is not an option obviously. If using AAD P1 you get conditional access and can be more granular.
I will do some more digging around this and update if necessary. Perhaps you should reach out to the official support going forward?
Sep 29 2021 06:04 AM
Sep 29 2021 06:53 AM - edited Oct 04 2021 05:22 AM
Sep 29 2021 07:07 AM
Sep 29 2021 07:35 AM
Sep 29 2021 09:04 AM
Sep 29 2021 12:13 PM
Sep 29 2021 12:44 PM - edited Sep 29 2021 12:49 PM
That’s actually one way to go in this use case. You could turn off security defaults and use the legacy per-user MFA if there’s no way of upgrading to Business Premium. And check the Service settings tab for available methods.
Sep 29 2021 12:49 PM