Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community

PIM role activation but only with FIDO2-based MFA?

Copper Contributor

Hi there,

 

It's currently possible to define an authentication method policy so that FIDO2 security keys can only be used by a select number of users or groups (that is, in the Azure portal under Security > Authentication methods > FIDO2 Security Key > FIDO2 Security Key settings).

 

For a user who is eligible for an Azure AD admin role which is managed via PIM, if MFA is required to activate that role, is it possible to limit the choice of MFA to only a FIDO2 security key?

 

This would be for a scenario where a standard user sign-in to the Azure portal would be secured using MFA (for example, using the Microsoft Authenticator), but activating an admin role through PIM would require the use of a FIDO2 security key instead.

 

My Sign-Ins ( https://mysignins.microsoft.com/security-info ) lets you select a default sign-in method under Security info (for example, Microsoft Authenticator - notification, or Authenticator app or hardware token - code), but I can't see a setting in the Azure portal to specify a FIDO2 security key as a default or preferred MFA method.

 

Has anyone had success in making a FIDO2 security key the default MFA method, in particular when working with PIM?

3 Replies

@RGFUK Interesting question. The enabling of PIM and requiring MFA for activation calls for Azure MFA which is configured by you the admin, i.e. the options under Service settings Which in turn are also the options being available to you in the security info drop-down you're referring to. I don't work setting up PIM as a feature (must have that said) but AFAIK you cannot separate MFA with "must use authenticator app here and must use FIDO2 here".

 

FIDO2 satisfies MFA while not being supported as a true second factor. With that in mind you should be able to use FIDO2 as the verification method (hardware token) when enabling a PIM role and requiring Azure MFA as both Authenticator app and FIDO2 are used for sign-in and strong authentication.

 

Let me know how it goes!

I am also interested in securing PIM with a HW key but not necessarily requiring it to log into Azure Portal. Did you have any success with that? Thanks

@Ondrej_Hlavacek 

This is possible now by creating an authentication context, called for example "Require FIDO2 security key", and then making the authn context a condition of a conditional access policy.

 

Another possibility is to use authentication strength as a requirement under the grant section of the policy. That allows you to choose phishing-resistant MFA, which would include a hardware key.

 

 

See for example the blogs written by Kaido Jarvemets or Kenneth van Surksum:

https://www.kaidojarvemets.com/better-together-azure-active-directory-privileged-identity-management... 

https://www.vansurksum.com/2023/02/20/azure-ad-conditional-access-authentication-context-now-also-av...