I have a guest account that needs to access resources on a resource tenant.
These resources are protected by a conditional access policy requiring strong MFA auth aka FIDO2 security keys.
The guest has already been redeemed and configured regular MFA using the Authenticator App.
Now when I logon to the FIDO2 protected resource I get the following screen:
Then followed by
Now when I go to the mysecurityinfo page I land on the security page of my home tenant. Here I can register a FIDO2 security key just fine. However this does not seem to be enough to satisfy the strong auth requirement.
On the security page when I switch to the resource tenant I also try to register a security key.
This time however the process throws an error.
It seems like this scenario is broken. I'm actively using this yubikey for different accounts and on different tenants however these are all "primary" accounts not guest accounts. This has been broken for a few weeks now as I have been coming back to this a few times and it doesn't seem to get resolved.
Only found this post which seemed similar but describes a "normal" scenario not using guest accounts:
https://learn.microsoft.com/en-us/answers/questions/1074772/cannot-register-fido2-key
Info:
Using Edge Version 111.0.1661.51 (Official build) (64-bit)
Windows 11 22H2
Device is not domain joined, hybrid AAD joined or AAD joined
Error details:
Correlation ID: 7287cfce-ef73-45e5-b90b-9deb279c26bd.
Timestamp: 2023-03-24T15:12:19Z