Forum Discussion
Solved
passwordless together with MFA
edit: was an issue using edge under linux which has now support for FIDO2 tokens. you need to use chrome, when login into azure using a linux client.
Hi,
we are running a CA which enforces MFA through MS-Authenticator App for all users. We would like to set up an alternative way through FIDO2 tokens (passwordless). We still do have users without smart-devices and we also want a soft way for migration.
Right now the passwordless login fails because the CA enforces MFA for all users. Is there a way to solve this problem? Or do we have to choose for one to authenticate way for all users?
My first idea is to configure the CA so it excludes certain users from the policy? Make a group for passwordless users and exclude them from MFA. Is this the way to go or are there better solutions?
Would it be possible to generate this group dynamically for all the users with at least one FIDO2 token in their authentication methods? Or would this idea mean that we have to set this group manually? What are the consequences if an user has MFA and FIDO2 within its authentication methods?
Thanks for any answers and any solution.
Cheers Sebastian
- solved. the problem was using edge with the FIDO2 token under linux. it is not supported yet. using chrome works fine. my problem is now, that intune for linux needs edge 😕
https://docs.microsoft.com/en-us/azure/active-directory/authentication/fido2-compatibility
- If you need passwordless authentication with a Microsoft personal account you might find this wiki guide handy;
https://wiki.deepnetsecurity.com/display/SafeKey/How+to+enable+passwordless+authentication+to+Microsoft+personal+account+with+FIDO2+security+keys Sebastian_Rottmann You should have a look at the Authentication method settings in Azure AD Authentication methods - Microsoft Azure and also TAP for a seamless passwordless config Configure a Temporary Access Pass in Azure AD to register Passwordless authentication methods - Microsoft Entra | Microsoft Docs
- for authentication methods there are 3 possibilities:
- Microsoft Authenticator (MFA)
- FIDO2 Security Key (passwordless)
- Temporary Access Pass (for passwordless user config)
TAP is configured. Works well. That's not the problem. My problem is our global CA "MFA for all users" which includes my passwordless-Users aswell.
We will have such users:
- only MS-Authenticator
- only FIDO2 Token
- both MS-Authenticator and FIDO2 Token
How should we design our CA-Policy?Sebastian_Rottmann Not sure I understand. If TAP is up and running it satisfies strong authentication requirements so you can simply direct the users to https://aka.ms/mysecurityinfo and have them add their preferred choice.
