User Profile
RGFUK
Copper Contributor
Joined 7 years ago
User Widgets
Recent Discussions
Re: PIM role activation but only with FIDO2-based MFA?
Ondrej_Hlavacek This is possible now by creating an authentication context, called for example "Require FIDO2 security key", and then making the authn context a condition of a conditional access policy. Another possibility is to use authentication strength as a requirement under the grant section of the policy. That allows you to choose phishing-resistant MFA, which would include a hardware key. See for example the blogs written by Kaido Jarvemets or Kenneth van Surksum: https://www.kaidojarvemets.com/better-together-azure-active-directory-privileged-identity-management-and-authentication-context/ https://www.vansurksum.com/2023/02/20/azure-ad-conditional-access-authentication-context-now-also-available-for-azure-ad-privileged-identity-management/2.8KViews0likes0CommentsPIM role activation but only with FIDO2-based MFA?
Hi there, It's currently possible to define an authentication method policy so that FIDO2 security keys can only be used by a select number of users or groups (that is, in the Azure portal under Security > Authentication methods > FIDO2 Security Key > FIDO2 Security Key settings). For a user who is eligible for an Azure AD admin role which is managed via PIM, if MFA is required to activate that role, is it possible to limit the choice of MFA to only a FIDO2 security key? This would be for a scenario where a standard user sign-in to the Azure portal would be secured using MFA (for example, using the Microsoft Authenticator), but activating an admin role through PIM would require the use of a FIDO2 security key instead. My Sign-Ins ( https://mysignins.microsoft.com/security-info ) lets you select a default sign-in method under Security info (for example, Microsoft Authenticator - notification, or Authenticator app or hardware token - code), but I can't see a setting in the Azure portal to specify a FIDO2 security key as a default or preferred MFA method. Has anyone had success in making a FIDO2 security key the default MFA method, in particular when working with PIM?3.7KViews0likes3Comments
Recent Blog Articles
No content to show