In a federated Azure AD-only environment, can an external identity provider's phishing-resistant MFA be used to satisfy the authentication strength's phishing-resistant MFA requirement?
How do we configure an external identity provider’s authentication so that it satisfies the conditional access policy when the authentication strength of phishing-resistant MFA is enabled?
Our domain is federated with an identity provider that supports phishing-resistant MFA (FIDO 2 and WebAuthN). So the authentication is already performed by the IdP using phishing-resistant MFA.
When we configure a conditional access policy to mandate phishing-resistant MFA for admins, It denies admins access even though the external IdP has authenticated them using phishing-resistant MFA.
Are there changes to be made to the federation configuration or is third-party phishing-resistant MFA not accepted by Azure to fulfil the phishing-resistant MFA requirement