Forum Discussion
CBA, MFA, and AADSTS54008 Certificate is not supported as first factor
Greetings All,
I'm trying to get CBA MFA working for Azure AD, exchange online specifically, but I can't get past the following error: AADSTS54008: Multi-Factor authentication is required and the credential used (Certificate) is not supported as a First Factor. Obviously, I have something configured incorrectly. Does anyone have a suggestion?
What I'm trying to achieve is have our users login to Outlook online with their username and password and then have the option to select a user certificate as their second form of authentication.
Regards,
KB
22 Replies
Hi,
you have to configure under multifactor policy that is passwordless only, after that with all cba setup everthing will work.
I am ataching print screens from my environment.
Did you sort this out?
I encounter the same error in my test tenant, the user certificate is successfully mapped to my user.
If I switch the protection level over to "multifactor authentication" I get signed in without MFA prompt.
When I attempt to sign in with the protection level set to "single-factor authentication", sign-in fails with the error AADSTS54008: Multi-Factor authentication is required and the credential used (Certificate) is not supported as a First Factor. Contact your administrator for more information.
You ever figure this out? I am having the same issue. I only want the cert to be used as a single factor, and have the toggle and issuer rule set as such. I have no policy oid rule for MFA. When entering upn, I choose log in with a certificate, and get the same error you cited. My expectation is that the cert replaces password, and the user will require mfa through their default method, which is authenticator app.
FYI it is misleading, but if you look at the Microsoft documentation on CBA, the only way to do MFA with a cert is to add a Policy O.I.D rule that checks for a value in your cert. The cert then acts as the first factor and second factor. There seems to be no other MFA options supported with CBA yet.
manshellstrom Yes sir. The settings below work as desired for my tenant.
Be sure to check that you don't have any of policies in your tenant that may be conflicting.
- When you configure CBA, you can define whether it's to be used as single- or multi-factor, so check for that. The Protection level toggle under auth methods > CBA > Configure.
- Understood. I've set up two rules, which as I understand it, renders the toggle useless. I also have a conditional policy requiring MFA for the same users configured for Certificate-based authentication. If I remove the conditional access policy from the users, the authentication works and there is no error, but users can also sign in using their password only, which is unacceptable. I have to be missing something somewhere. As soon as I reinstate the conditional access policy, the error returns.
