Oct 06 2023 04:08 AM
We are having issues in two different scenarios with Azure MFA for users who use FIDO2 exclusively. It seems, any settings somehow still require Microsoft Authenticator.
First scenario: Registering FIDO2 after the 14 days grace period
When a user is created in Azure (either directly or on-prem sync, no difference here), the user has a 14 days grace period. During this period, configuring FIDO2 works flawlessly using a Temporary Access Pass (TAP).
After the 14 days, the user logs in using the provided TAP to https://aka.ms/mysecurityinfo, starts the "Add sign in method", follows the steps for the FIDO2 key, once the key is confirmed and the user is redirected back to mysecurityinfo, Azure prompts for a "Additional information is required" and requires the user to register the Microsoft Authenticator app first.
The only logs we see is that the user interrupted the MFA setup.
We tried several browsers, normal or incognito mode, different users, nothing prevented this, except for configuring MS Authenticator first, then configuring FIDO2 afterwards.
We deleted the MS Authenticator app for these users as it was only a workaround. Now these users seem to face the second scenario below.
Second scenario: FIDO2 sign in prompts for a "Protect your account" - skippable for 14 days
Users are able to sign in using the FIDO2, and immediately after, they are prompted a "Protect your account" window, which asks them to configure MS Authenticator again. They have the option to skip this for 14 times (not days).
If we check the user's sign in logs, it shows Failure for the user satisfying the Conditional Access requiring MFA, which is rather unexpected because the user does in fact manage to sign in using the FIDO2 security key, and is able to access the resources when skipping the "Protect your account" request.
We thought it may be App specific, but finally the users face this issue with different apps (Workday, Concur, MS Teams...)
After asking Google, many articles point out this is related to Security Defaults. This is not our case, as we are using Conditional Access and they are not compatible.
The Conditional Access (CA) is enforcing an MFA of a custom Authentication Strength which includes the FIDO2 as one of the accepted options.
The per-user MFA settings are configured to be Disabled for the affected users, as it is already enforced by the CA.
The only setting that we have not modified yet is the Multifactor authentication registration policy which is set to Enabled - we cannot customise this as we have only P1 license (and we cannot find information if disabling this would later prevent us from enabling it afterwards due to missing license).
As mentioned at the beginning, it seems there is somewhere a setting that expects everybody to use MS Authenticator for MFA regardless of what we configure, except if we disable MFA altogether (not gonna happen).
Are there any other settings we should check or review or we can test?
Thanks in advance.
Oct 06 2023 07:49 AM
Oct 10 2023 05:29 PM