That sounds expected. If you have already authenticated with a FIDO key, then you have met the requirement.
Conditional Access policy and PIM
I am using a Conditional Access policy with the purpose of getting a two-factor authentication prompt when enabling an eligible role in PIM. The CA policy I am using has the authentication strength 'phishing-resistant MFA' option. Still, the prompt doesn't show if I am already logged in to Azure using a FIDO2 security key. However, the prompt does show if my first login to Azure was made using a different 2FA method like the Authenticator app. Then, upon activating the role, a prompt shows as wanted, saying that a Conditional Access policy applies here, and I can only continue to activate my role if I sign in using a security key. What could be the cause of this behavior?
Note: When the authentication strength 'Passwordless MFA' is chosen in the CA Policy, for users that don't use FIDO2 Keys, this works every time. Meaning when a user logs in to Azure Portal with 2FA (Authenticator app) and then proceeds to PIM to try to activate a role, this user is prompted every time to provide 2FA login again. Using FIDO2 with the 'Passwordless' authentication strength sadly doesn't trigger anything.