Forum Discussion

luvsql's avatar
luvsql
Iron Contributor
Sep 28, 2021
Solved

Use FIDO2 as MFA token

We are trying to replace the need to have a phone number (cellphone or office phone or authenticator app) for many of our users that refuse to use a personal phone for authentication.  This is also f...
Azure Active Directory (AAD)
  • ChristianJBergstrom's avatar
    ChristianJBergstrom
    Sep 28, 2021

    luvsql Hello again, I had to try it using security defaults as I'm pretty sure you're using that. You have no Intune, Conditional access or MFA registration policy in your subscriptions.

     

    So, when simply using security defaults with enforced MFA you get the prompt to add security info/details, and can skip this for 14 days. When enabling the Temporary Access Pass policy and activating that for a newly created user in Azure AD it instead becomes the first prompt.

     

    This is how it looks like and takes you to https://aka.ms/mysecurityinfo page where one can configure additional options, such as the security key. I could not proceed as I do not have a key to put in the laptop.

     

     

    *My reply is being updated as you can actually use TAP to add a security key (as the pictures show) with security defaults. For the sake of it I even asked Microsoft who verified the method.

     

    To wrap up the above.

     

    1. Enable security defaults.

    2. Enable TAP and assign to user.

    3. User logs in using TAP and adds FIDO2 key.

    4. Next sign-in when prompted for MFA user uses FIDO2 key (as FIDO2 satisfies MFA).

luvsql's avatar
luvsql
Iron Contributor
Sep 28, 2021
Okay good to know. If we go this route and get everything setup with a laptop that has the key connected as a USB, what happens when the user needs to access their email or an office app on a tablet that doesn't have USB? Will this then only allow authentication on a device with USB?
ChristianJBergstrom's avatar
ChristianJBergstrom
MVP
Sep 28, 2021

luvsql When enabling security defaults, if having AAD Free for example, you're pushing MFA for all users. It's a great feature but not a flexible solution as you can only toggle on or off. To toggle off to onboard the few users is not an option obviously. If using AAD P1 you get conditional access and can be more granular.

 

I will do some more digging around this and update if necessary. Perhaps you should reach out to the official support going forward?

  • luvsql's avatar
    luvsql
    Iron Contributor
    Sep 29, 2021
    If I won the lottery I would definitely donate the $25,000 a year to upgrade us but this is not something we can budget right now.
  • ChristianJBergstrom's avatar
    ChristianJBergstrom
    MVP
    Sep 29, 2021

    luvsql My suggestion would be to upgrade to AAD P1 (for the conditional access) so you're not being forced using MFA for all users and at the same time being kind of "locked in" only having the option to toggle it on/off for all.


    Get support | Microsoft Docs

  • luvsql's avatar
    luvsql
    Iron Contributor
    Sep 29, 2021
    I've been trying to get a case open with Microsoft for Azure for over 3 weeks now with 2 separate cases as we can't seem to be able to create a support case from within Azure and creating one from the regular admin centre doesn't get routed to Azure. It's been painstaking, frustrating to say the least. Microsoft has never been able to fix any of the tickets I've opened and have had to rely on community help for everything.

Resources