May 24 2022 08:50 AM - edited May 24 2022 09:22 AM
Greetings All,
I'm trying to get CBA MFA working for Azure AD, exchange online specifically, but I can't get past the following error: AADSTS54008: Multi-Factor authentication is required and the credential used (Certificate) is not supported as a First Factor. Obviously, I have something configured incorrectly. Does anyone have a suggestion?
What I'm trying to achieve is have our users login to Outlook online with their username and password and then have the option to select a user certificate as their second form of authentication.
Regards,
KB
May 24 2022 09:24 AM
May 24 2022 09:44 AM
Aug 05 2022 04:47 AM
Did you sort this out?
I encounter the same error in my test tenant, the user certificate is successfully mapped to my user.
If I switch the protection level over to "multifactor authentication" I get signed in without MFA prompt.
When I attempt to sign in with the protection level set to "single-factor authentication", sign-in fails with the error AADSTS54008: Multi-Factor authentication is required and the credential used (Certificate) is not supported as a First Factor. Contact your administrator for more information.
Aug 05 2022 05:28 AM
@manshellstrom Yes sir. The settings below work as desired for my tenant.
Be sure to check that you don't have any of policies in your tenant that may be conflicting.
Aug 20 2022 01:04 PM
You ever figure this out? I am having the same issue. I only want the cert to be used as a single factor, and have the toggle and issuer rule set as such. I have no policy oid rule for MFA. When entering upn, I choose log in with a certificate, and get the same error you cited. My expectation is that the cert replaces password, and the user will require mfa through their default method, which is authenticator app.
Aug 22 2022 08:12 AM
No, and my best guess is that the service is broken.
You and I are reaching for the exact same functionality, but it seems you can't get this working without a certificate policy that can be mapped in the configuration.
We'are also missing the posibility to use OCSP in favor of CRL.
Aug 23 2022 09:43 AM
FYI it is misleading, but if you look at the Microsoft documentation on CBA, the only way to do MFA with a cert is to add a Policy O.I.D rule that checks for a value in your cert. The cert then acts as the first factor and second factor. There seems to be no other MFA options supported with CBA yet.
Aug 23 2022 09:47 AM - edited Aug 23 2022 09:51 AM
Also, if you you are getting that MFA sign in error regarding "first factor", and want it to work with CBA, you have to disable MFA enforcement at the user level and make sure they aren't included in any other conditional access policies that require MFA. Just make sure you have other user account protections such as additional Conditional Access Policies based on device or IP Range etc.
Aug 23 2022 10:45 AM - edited Aug 23 2022 10:46 AM
So you're saying that limiting its use to "single factor" implies having to have MFA disabled entirely for the user, while enabling it for "multi-factor" basically makes this the equivalent of a FIDO key, minus the hardware security and pin? It simply can't be configured as the equivalent of any other form of single factor, so some other factor is needed to go along with it in order to authenticate? If so, that's pretty weak..
I guess this part of the documentation made me think otherwise-- thinking the experience would be cert replaces password, then the user can choose from mobile app, passcode, fido key, etc as a 2nd factor..
"If a unique user is found and the user has a conditional access policy and needs multifactor authentication (MFA) and the certificate authentication binding rule satisfies MFA, then Azure AD signs the user in immediately. If the certificate satisfies only a single factor, then it requests the user for a second factor to complete Azure AD Multi-Factor Authentication."
https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-certificate-based-aut...
Aug 23 2022 11:04 AM - edited Aug 23 2022 11:14 AM
I saw the same article and it contradicts the way I interpret this article and my testing so far:
"The policy OID in the certificate matches the configured value of 1.2.3.4 and it will satisfy multifactor authentication. Similarly, the issuer in the certificate matches the configured value of CN=ContosoCA,DC=Contoso,DC=org and it will satisfy single-factor authentication."
"Because policy OID rule takes precedence over issuer rule, the certificate will satisfy multifactor authentication."
https://docs.microsoft.com/en-us/azure/active-directory/authentication/how-to-certificate-based-auth...
In my testing, with password as first factor, cert is not available as second factor. Windows Hello, FIDO/yubikey, Authenticator passwordless act as 1st factor and 2nd factor so can't be used with cert. Phone sign in can't be used with MFA. If MFA is enforced on the user account, Cert auth will fail with the "first factor" error message you guys are getting.
The documentation says unless the policy information is included in the cert and there is a Policy OID rule to verify it, MFA will fail. I have yet to verify this works as I have not been able to get the "certificate policies" identifiers in our certs yet.
Aug 23 2022 11:38 AM
Aug 23 2022 12:22 PM
Oct 11 2022 05:25 PM - edited Oct 11 2022 05:56 PM
@mikey365: "Currently, password can't be disabled when CBA is enabled and the option to sign in using a password is displayed.": https://learn.microsoft.com/en-us/azure/active-directory/authentication/concept-certificate-based-au... -> So your suggestion can not be done at the moment. Would be the end game though in my view.
It's like @jroth710 says: "They are ignoring the most obvious and beneficial use case -- eliminating the use of a password while still enforcing another factor of security."
When you go to the Azure Portal, you can now add authentication strengths policies: https://portal.azure.com/#view/Microsoft_AAD_IAM/AuthenticationMethodsMenuBlade/~/AuthStrengths. What we need is the "Certificate Based Authentication (Single Factor) + Microsoft Authenticator (Push Notification)" combination under 'Multifactor authentication'. I'll keep hoping
Mar 15 2023 11:19 AM
Mar 17 2023 06:50 AM
Hi,
you have to configure under multifactor policy that is passwordless only, after that with all cba setup everthing will work.
I am ataching print screens from my environment.
Mar 24 2023 01:49 PM
Mar 24 2023 02:14 PM
Mar 25 2023 03:02 AM
Mar 27 2023 12:46 PM