Forum Discussion
Solved
passwordless together with MFA
edit: was an issue using edge under linux which has now support for FIDO2 tokens. you need to use chrome, when login into azure using a linux client. Hi, we are running a CA which enforces MF...
- solved. the problem was using edge with the FIDO2 token under linux. it is not supported yet. using chrome works fine. my problem is now, that intune for linux needs edge 😕
https://docs.microsoft.com/en-us/azure/active-directory/authentication/fido2-compatibility
Sebastian_Rottmann You should have a look at the Authentication method settings in Azure AD Authentication methods - Microsoft Azure and also TAP for a seamless passwordless config Configure a Temporary Access Pass in Azure AD to register Passwordless authentication methods - Microsoft Entra | Microsoft Docs
- for authentication methods there are 3 possibilities:
- Microsoft Authenticator (MFA)
- FIDO2 Security Key (passwordless)
- Temporary Access Pass (for passwordless user config)
TAP is configured. Works well. That's not the problem. My problem is our global CA "MFA for all users" which includes my passwordless-Users aswell.
We will have such users:
- only MS-Authenticator
- only FIDO2 Token
- both MS-Authenticator and FIDO2 Token
How should we design our CA-Policy?Sebastian_Rottmann Not sure I understand. If TAP is up and running it satisfies strong authentication requirements so you can simply direct the users to https://aka.ms/mysecurityinfo and have them add their preferred choice.
- the problem is not the setup process. it works. but the user with the FIDO2 key cannot login, because our conditional access policy "MFA for all users" blocks the passwordless attempt.
here is the log, for our dummy user with FIDO2 token:
Date 9.8.2022, 20:38:08
Request ID 5483171c-9d37-4d24-b598-6121fc6d1100
Correlation ID ec77f33b-b442-4016-a768-6f6835d4b6cf
Authentication requirement Multifactor authentication
Status Interrupted
Continuous access evaluation No
Additional Details
User needs to perform multi-factor authentication. There could be multiple things requiring multi-factor, e.g. Conditional Access policies, per-user enforcement, requested by client, among others.
