Azure CBA MFA no longer working

Kevin Hester 1 Reputation point
2022-09-26T15:36:05.073+00:00

My company has moved to CBA for the majority of our authentication method. Azure CBA was setup and working for a couple months but now, it gives me the dreaded: AADSTS54008: Multi-Factor authentication is required and the credential used (Certificate) is not supported as a First Factor. Contact your administrator for more information.

We have designated policies for Single factor (Enterprise CA Cert) and Multifactor (Policy OID) set on the certificates via Computer Policy. Conditional Access is applied that requires MFA. The policy OID should be recognized and meet the requirements but it does not. Each failure shows that the cert failed multiple factor and checking additional details, the Enterprise CA Cert was chosen and NOT the Policy OID. I also removed myself from the Conditional Access rule that was kicking in but the same failure happens. Any help would be appreciated.

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,418 questions
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Marilee Turscak-MSFT 33,801 Reputation points Microsoft Employee
    2022-09-28T00:43:42.783+00:00

    Hi @Kevin Hester ,

    Thanks for your post! I reached out to the PG about your issue and it seems to be a limitation of the product, if we are understanding your scenario correctly.

    When MFA is required and the CBA protection level is configured as "single-factor authentication", users will see the AADSTS54008 error. The sign-in is considered as single-factor authentication as the authentication policy is set where the Issuer subject rule satisfies single-factor authentication. If the user has MFA required by a conditional access policy, the sign-in fails with AADSTS54008 error. There is a pull request sitting in the queue to add this information to the documentation in the next day or so.

    Based on my understanding, MFA needs to be disabled on the user account and on any Conditional Access Policies. There is a similar discussion here: https://techcommunity.microsoft.com/t5/microsoft-entra-azure-ad/cba-mfa-and-aadsts54008-certificate-is-not-supported-as-first/m-p/3422036

    The policy information also needs to be included in the certificate and there needs to be a policy OID rule to verify it. The PG contact I spoke with said that there isn't any workaround for the issue, but I have reached out and shared your specific scenario with another PG member to see if there might be a way around this and will update as I hear back.

    -
    If the information helped you, please Accept the answer. This will help us and other members of the community as well.

    0 comments
  2. Marilee Turscak-MSFT 33,801 Reputation points Microsoft Employee
    2022-09-28T00:44:38.643+00:00

    Second update from the product group:

    PG is aware and working on this. We are expecting a fix sometime in October. For now have the customer configure CBA as multifactor in stead of single factor.

    0 comments