Conditional Access policy and PIM

Said Samir 0 Reputation points
2024-02-27T15:24:05.5933333+00:00

I am using a Conditional Access policy with the purpose of getting a two-factor authentication prompt when enabling an eligible role in PIM. The CA policy I am using has the authentication strength 'phishing-resistant MFA' option. Still, the prompt doesn't show if I am already logged in to Azure using a FIDO2 security key. However, the prompt does show if my first login to Azure was made using a different 2FA method like the Authenticator app. Then, upon activating the role, a prompt shows as wanted, saying that a Conditional Access policy applies here, and I can only continue to activate my role if I sign in using a security key. What could be the cause of this behavior?
Note: When the authentication strength 'Passwordless MFA' is chosen in the CA Policy, for users that don't use FIDO2 Keys, this works every time. Meaning when a user logs in to Azure Portal with 2FA (Authenticator app) and then proceeds to PIM to try to activate a role, this user is prompted every time to provide 2FA login again. Using FIDO2 with the 'Passwordless' authentication strength sadly doesn't trigger anything.

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
21,430 questions
{count} votes

1 answer

Sort by: Most helpful
  1. Andy David - MVP 147.6K Reputation points MVP
    2024-02-27T15:36:47.22+00:00

    That sounds expected. If you have already authenticated with a FIDO key, then you have met the requirement.


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.