In a federated Azure AD-only environment, can an external identity provider's phishing-resistant MFA be used to satisfy the authentication strength's phishing-resistant MFA requirement?

Keldennis 0 Reputation points
2023-04-21T13:43:30.08+00:00

How do we configure an external identity provider’s authentication so that it satisfies the conditional access policy when the authentication strength of phishing-resistant MFA is enabled? Our domain is federated with an identity provider that supports phishing-resistant MFA (FIDO 2 and WebAuthN). So the authentication is already performed by the IdP using phishing-resistant MFA.
When we configure a conditional access policy to mandate phishing-resistant MFA for admins, It denies admins access even though the external IdP has authenticated them using phishing-resistant MFA. Are there changes to be made to the federation configuration or is third-party phishing-resistant MFA not accepted by Azure to fulfil the phishing-resistant MFA requirement

Microsoft Security | Active Directory Federation Services
Microsoft Security | Microsoft Entra | Microsoft Entra ID
Microsoft Security | Microsoft Authenticator
Microsoft Security | Microsoft Identity Manager
Microsoft Security | Microsoft Entra | Other
{count} votes

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.