Enabled Fido2 for all users, but this MFA option does not show under authentication types ...

Mike Schumann 0 Reputation points

All our users have Business Standard Plan, MFA enabled - methods only show email, Phone Number + Temporary Access - Fido2 is what we want to use and it is enabled for all Users in Entra panel - just does not show as an available authentication method for each user?

What am I missing here?

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,597 questions
{count} votes

3 answers

Sort by: Most helpful
  1. Raja Pothuraju 1,760 Reputation points Microsoft Vendor

    Hello @Mike Schumann,Thank you for posting your query on Microsoft Q&A.

    Based on your statement, I understand that you want to use FIDO security keys for all your users as an authentication method. However, when you checked under Users > Authentication methods in the Azure Portal, it only shows Email, Phone Number, and Temporary Access, not FIDO2.

    This is expected behavior in the Azure Portal, as it only shows Email, Phone Number, and Temporary Access as available methods. To register or set up a FIDO2 security key, users should register the security key from the Security Info page: https://mysignins.microsoft.com/security-info.

    Once they log in to the Security Info page, they can click on "Add sign-in method" and then see the option to set up a Security Key. Please refer to the screenshot below from my demo tenant.User's image

    Make sure to enable FIDO2 security key settings under Authentication Methods in your Azure Portal for those users. Refer to the screenshot below from my demo tenant.

    User's image

    Please refer to the following Microsoft documents for more information on configuration settings:

    I hope this information is helpful. Please feel free to reach out if you have any further questions. I am happy to assist you with this. If required, we can connect offline for more insights. Looking forward to your response.

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    Raja Pothuraju.

    1 person found this answer helpful.

  2. John Rogan 0 Reputation points

    Hi Mike,

    Check your authentication methods policies and conditional access policies.

    Go to Authentication Methods:

    In the Entra/Azure Active Directory panel, go to Security > Authentication methods.

    Policy Configuration:

    Check the policy settings for authentication methods.

    Ensure that the policy applies to the appropriate users or groups. (You stated that it applies to all your users.)

    Conditional Access Policies:

    Conditional Access policies can also affect the availability of authentication methods.

    Check Policies:

    Go to Security > Conditional Access.

    Review the policies to ensure no restrictions affect your preferred authentication methods.

    This is a quick-start troubleshooter. It is usually relatively straightforward, primarily when it affects everyone and your environment isn't very complex.

    Microsoft provides detailed documentation via many online resources, which may also help. Here are some references.

    Entra Identity

    Entra Conditional Access

    Entra Conditional Access Overview

  3. TylerCOA 0 Reputation points

    I have the same issue. What I have discovered is that if a user has no authentication methods currently setup, then the FIDO2 option will not show because Microsoft still hasn't declared it as a "Sign-in method". Essentially, we allow SMS, Authenticator App, and FIDO2 at our org but the user needs to have either SMS or Authenticator app setup before they can see the FIDO2 option because SMS and Authenticator are both allowed as a "Sign-in method" by Microsoft. If the user doesn't want to set one of those other methods up the workaround is to give them a TAP because it will count that as a Sign-in method, and once they login to mysignins.microsoft.com they should be prompted for the TAP and then be able to add a FIDO2 key. Then the TAP will eventually expire based upon your setting in IT. I'm still waiting for them to fix this and allow it as a primary method without needing another one first, especially being that this is supposed to be one of the most secure methods.

    0 comments No comments