Forum Discussion
CBA, MFA, and AADSTS54008 Certificate is not supported as first factor
Greetings All, I'm trying to get CBA MFA working for Azure AD, exchange online specifically, but I can't get past the following error: AADSTS54008: Multi-Factor authentication is required and t...
So you're saying that limiting its use to "single factor" implies having to have MFA disabled entirely for the user, while enabling it for "multi-factor" basically makes this the equivalent of a FIDO key, minus the hardware security and pin? It simply can't be configured as the equivalent of any other form of single factor, so some other factor is needed to go along with it in order to authenticate? If so, that's pretty weak..
I guess this part of the documentation made me think otherwise-- thinking the experience would be cert replaces password, then the user can choose from mobile app, passcode, fido key, etc as a 2nd factor..
"If a unique user is found and the user has a conditional access policy and needs multifactor authentication (MFA) and the certificate authentication binding rule satisfies MFA, then Azure AD signs the user in immediately. If the certificate satisfies only a single factor, then it requests the user for a second factor to complete Azure AD Multi-Factor Authentication."
https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-certificate-based-authentication-technical-deep-dive
I saw the same article and it contradicts the way I interpret this article and my testing so far:
"The policy OID in the certificate matches the configured value of 1.2.3.4 and it will satisfy multifactor authentication. Similarly, the issuer in the certificate matches the configured value of CN=ContosoCA,DC=Contoso,DC=org and it will satisfy single-factor authentication."
"Because policy OID rule takes precedence over issuer rule, the certificate will satisfy multifactor authentication."
https://docs.microsoft.com/en-us/azure/active-directory/authentication/how-to-certificate-based-authentication#step-2-configure-authentication-binding-policy
In my testing, with password as first factor, cert is not available as second factor. Windows Hello, FIDO/yubikey, Authenticator passwordless act as 1st factor and 2nd factor so can't be used with cert. Phone sign in can't be used with MFA. If MFA is enforced on the user account, Cert auth will fail with the "first factor" error message you guys are getting.
The documentation says unless the policy information is included in the cert and there is a Policy OID rule to verify it, MFA will fail. I have yet to verify this works as I have not been able to get the "certificate policies" identifiers in our certs yet.
- yeah we don't have policy OID's either, so can't test. Haven't dug into it yet, but obviously not something that gets enabled in a standard CA rollout.
I'll also need to check to see if phone sign-in is enabled on my test account, and if so try without. It would be nice if Microsoft could give some clarity on the confusing documentation. If it truly can't be used as a "single-factor" --meaning it replaces password but user still needs at least some other factor -- they are ignoring the most obvious and beneficial use case -- eliminating the use of a password while still enforcing another factor of security.- It can be used as a single factor, and I have tested that successfully. As I said, MFA needs to be disabled on the user account and on any Conditional Access Policies. For these users I'm disabling password and other authentication methods.
mikey365: "Currently, password can't be disabled when CBA is enabled and the option to sign in using a password is displayed.": https://learn.microsoft.com/en-us/azure/active-directory/authentication/concept-certificate-based-authentication-limitations -> So your suggestion can not be done at the moment. Would be the end game though in my view.
It's like jroth710 says: "They are ignoring the most obvious and beneficial use case -- eliminating the use of a password while still enforcing another factor of security."When you go to the Azure Portal, you can now add authentication strengths policies: https://portal.azure.com/#view/Microsoft_AAD_IAM/AuthenticationMethodsMenuBlade/~/AuthStrengths. What we need is the "Certificate Based Authentication (Single Factor) + Microsoft Authenticator (Push Notification)" combination under 'Multifactor authentication'. I'll keep hoping
