Cannot register FIDO2 key for guest users on resource tenant.

Ag-8821 41 Reputation points
2023-03-24T15:19:49.2566667+00:00

I have a guest account that needs to access resources on a resource tenant.

These resources are protected by a conditional access policy requiring strong MFA auth aka FIDO2 security keys.

The guest has already been redeemed and configured regular MFA using the Authenticator App.

Now when I logon to the FIDO2 protected resource I get the following screen:

User's image

Then followed by

User's image

Now when I go to the mysecurityinfo page I land on the security page of my home tenant. Here I can register a FIDO2 security key just fine. However this does not seem to be enough to satisfy the strong auth requirement.User's image

On the security page when I switch to the resource tenant I also try to register a security key.

User's image

This time however the process throws an error.

It seems like this scenario is broken. I'm actively using this yubikey for different accounts and on different tenants however these are all "primary" accounts not guest accounts. This has been broken for a few weeks now as I have been coming back to this a few times and it doesn't seem to get resolved.

Only found this post which seemed similar but describes a "normal" scenario not using guest accounts:

https://learn.microsoft.com/en-us/answers/questions/1074772/cannot-register-fido2-key

Info:

Using Edge Version 111.0.1661.51 (Official build) (64-bit)

Windows 11 22H2

Device is not domain joined, hybrid AAD joined or AAD joined

Error details:

Correlation ID: 7287cfce-ef73-45e5-b90b-9deb279c26bd.

Timestamp: 2023-03-24T15:12:19Z

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
21,369 questions
{count} votes

1 answer

Sort by: Most helpful
  1. Givary-MSFT 32,311 Reputation points Microsoft Employee
    2023-03-29T05:50:56.0033333+00:00

    @Ag-8821 Apologies for the delay in responding to this post, As I understand you are looking to register FIDO2 key for guest users.

    As far I am aware, We do not support FIDO for guest users at this time.

    Same information has been documented here - https://learn.microsoft.com/en-us/azure/active-directory/authentication/concept-authentication-passwordless#supported-scenarios

    User's image

    Let me know if you have any further questions, feel free to post back.

    Please remember to "Accept Answer" if answer helped, so that others in the community facing similar issues can easily find the solution.

    1 person found this answer helpful.
    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.