Hi @Kevin Hester ,
Thanks for your post! I reached out to the PG about your issue and it seems to be a limitation of the product, if we are understanding your scenario correctly.
When MFA is required and the CBA protection level is configured as "single-factor authentication", users will see the AADSTS54008 error. The sign-in is considered as single-factor authentication as the authentication policy is set where the Issuer subject rule satisfies single-factor authentication. If the user has MFA required by a conditional access policy, the sign-in fails with AADSTS54008 error. There is a pull request sitting in the queue to add this information to the documentation in the next day or so.
Based on my understanding, MFA needs to be disabled on the user account and on any Conditional Access Policies. There is a similar discussion here: https://techcommunity.microsoft.com/t5/microsoft-entra-azure-ad/cba-mfa-and-aadsts54008-certificate-is-not-supported-as-first/m-p/3422036
The policy information also needs to be included in the certificate and there needs to be a policy OID rule to verify it. The PG contact I spoke with said that there isn't any workaround for the issue, but I have reached out and shared your specific scenario with another PG member to see if there might be a way around this and will update as I hear back.
-
If the information helped you, please Accept the answer. This will help us and other members of the community as well.