Share via

Azure AD - 2FA for CBA and Authenticator

Mobst Salat 0 Reputation points
2023-05-08T19:52:17.4966667+00:00

Hey there,

I have a problem understanding Multi-Factor Authentication with using both CBA and the Authenticator app.

We planned, to offer the possibility to use Certficate Based Authentication, the Authenticator App, Phone-Call and OTP-Token for the second factor. The configuration of all methods (including CBA) was pretty straight forward and its working so far pretty good and convenient. So we have users, who are willing to use the App or their phone and those who don't. That's why we want to offer different methods.

Problem now is, once user is assigned to use the CBA, there's no possibility to use any of the other methods! After the password prompt, only certficates can be chosen. If then, the user gets then excluded from the CBA, the possibility to choose any of the said methods is there again.

Even if the CBA is activated for the user, and the Authenticator is manually added in the user-settings, there's still no option to use other methods.

In short: If CBA is activated, no other methods for 2fa are shown.

If anyone could help, I'll be so grateful!

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
22,196 questions
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Mobst Salat 0 Reputation points
    2023-05-09T09:48:50.6366667+00:00

    Okay so I resolved the issue - reading is paramount.

    For the sake of others which might have troubles:

    There's an option in the settings of authentication methods panel, that sets the preferred authentication method.

    The idea behind it, is that MS is automatically choosing the safest and authentication method. Because CBA is passwordless and thus safe, it is offered as the only option.

    Changing the setting from activated to disabled, offers the other (so to say "less safer") methods for the 2nd factor.

    https://learn.microsoft.com/en-us/azure/active-directory/authentication/concept-system-preferred-multifactor-authentication

    0 comments
  2. Shweta Mathur 29,856 Reputation points Microsoft Employee
    2023-05-10T05:36:18.4433333+00:00

    Hi @Mobst Salat ,

    I'm glad that you were able to resolve your issue and thank you for posting your solution so that others experiencing the same thing can easily reference this! Since the Microsoft Q&A community has a policy that "The question author cannot accept their own answer. They can only accept answers by others", I'll repost your solution in case you'd like to "Accept" the answer.

    User's image

    User's image

    Thanks

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.