Aug 09 2022 12:25 PM - edited Sep 01 2022 12:24 AM
edit: was an issue using edge under linux which has now support for FIDO2 tokens. you need to use chrome, when login into azure using a linux client.
Hi,
we are running a CA which enforces MFA through MS-Authenticator App for all users. We would like to set up an alternative way through FIDO2 tokens (passwordless). We still do have users without smart-devices and we also want a soft way for migration.
Right now the passwordless login fails because the CA enforces MFA for all users. Is there a way to solve this problem? Or do we have to choose for one to authenticate way for all users?
My first idea is to configure the CA so it excludes certain users from the policy? Make a group for passwordless users and exclude them from MFA. Is this the way to go or are there better solutions?
Would it be possible to generate this group dynamically for all the users with at least one FIDO2 token in their authentication methods? Or would this idea mean that we have to set this group manually? What are the consequences if an user has MFA and FIDO2 within its authentication methods?
Thanks for any answers and any solution.
Cheers Sebastian
Aug 09 2022 01:37 PM
@Sebastian_Rottmann You should have a look at the Authentication method settings in Azure AD Authentication methods - Microsoft Azure and also TAP for a seamless passwordless config Configure a Temporary Access Pass in Azure AD to register Passwordless authentication methods - Micr...
Aug 09 2022 11:06 PM
Aug 10 2022 12:30 AM
@Sebastian_Rottmann Not sure I understand. If TAP is up and running it satisfies strong authentication requirements so you can simply direct the users to https://aka.ms/mysecurityinfo and have them add their preferred choice.
Aug 10 2022 02:03 AM
Aug 10 2022 02:10 AM
Aug 10 2022 02:54 AM
Sep 01 2022 12:22 AM
SolutionSep 01 2022 12:22 AM
Solution