SOLVED

passwordless together with MFA

Copper Contributor

edit: was an issue using edge under linux which has now support for FIDO2 tokens. you need to use chrome, when login into azure using a linux client.

 

Hi,

 

we are running a CA which enforces MFA through MS-Authenticator App for all users. We would like to set up an alternative way through FIDO2 tokens (passwordless). We still do have users without smart-devices and we also want a soft way for migration.

 

Right now the passwordless login fails because the CA enforces MFA for all users. Is there a way to solve this problem? Or do we have to choose for one to authenticate way for all users? 

 

My first idea is to configure the CA so it excludes certain users from the policy?  Make a group for passwordless users and exclude them from MFA. Is this the way to go or are there better solutions? 

Would it be possible to generate this group dynamically for all the users with at least one FIDO2 token in their authentication methods? Or would this idea mean that we have to set this group manually? What are the consequences if an user has MFA and FIDO2 within its authentication methods?

Thanks for any answers and any solution.

Cheers Sebastian

7 Replies

@Sebastian_Rottmann You should have a look at the Authentication method settings in Azure AD Authentication methods - Microsoft Azure and also TAP for a seamless passwordless config Configure a Temporary Access Pass in Azure AD to register Passwordless authentication methods - Micr...

for authentication methods there are 3 possibilities:
- Microsoft Authenticator (MFA)
- FIDO2 Security Key (passwordless)
- Temporary Access Pass (for passwordless user config)

TAP is configured. Works well. That's not the problem. My problem is our global CA "MFA for all users" which includes my passwordless-Users aswell.

We will have such users:
- only MS-Authenticator
- only FIDO2 Token
- both MS-Authenticator and FIDO2 Token

How should we design our CA-Policy?

@Sebastian_Rottmann Not sure I understand. If TAP is up and running it satisfies strong authentication requirements so you can simply direct the users to https://aka.ms/mysecurityinfo and have them add their preferred choice.

 

ChristianJBergstrom_0-1660116433852.png

 

the problem is not the setup process. it works. but the user with the FIDO2 key cannot login, because our conditional access policy "MFA for all users" blocks the passwordless attempt.


here is the log, for our dummy user with FIDO2 token:

Date 9.8.2022, 20:38:08
Request ID 5483171c-9d37-4d24-b598-6121fc6d1100
Correlation ID ec77f33b-b442-4016-a768-6f6835d4b6cf
Authentication requirement Multifactor authentication
Status Interrupted
Continuous access evaluation No
Additional Details
User needs to perform multi-factor authentication. There could be multiple things requiring multi-factor, e.g. Conditional Access policies, per-user enforcement, requested by client, among others.

that's basically exact what I did. but the collision comes, when the user authenticates with his FIDO2 key. the login got blocked, because the CA enforces ALL users to use MFA.

FIDO2 tokens do not count as such, obviously. So the user is forced to use his MS-authenticator on a phone. But the user doesnt have a phone to authenticate. The user wanted to use his FIDO2 token.
best response confirmed by Sebastian_Rottmann (Copper Contributor)
Solution
solved. the problem was using edge with the FIDO2 token under linux. it is not supported yet. using chrome works fine. my problem is now, that intune for linux needs edge 😕

https://docs.microsoft.com/en-us/azure/active-directory/authentication/fido2-compatibility
1 best response

Accepted Solutions
best response confirmed by Sebastian_Rottmann (Copper Contributor)
Solution
solved. the problem was using edge with the FIDO2 token under linux. it is not supported yet. using chrome works fine. my problem is now, that intune for linux needs edge 😕

https://docs.microsoft.com/en-us/azure/active-directory/authentication/fido2-compatibility

View solution in original post