Azure (and 365) Mandatory MFA and FIDO2

Jon Kilner 66 Reputation points
2025-01-10T12:22:42.7166667+00:00

We delayed the deployment of mandatory MFA to allow us to plan for the change, purchasing YubiKeys to be used by our break-glass account(s).

Setting the keys up, I'm told the accounts first need to setup an alternative MFA method before the key can be enrolled.

Why is this. If an account doesn't have MFA setup already, then there's no benefit to setting up another MFA method before I can enroll the YubiKey.

Obviously I can setup MFA for the break-glass accounts, setup the YubiKey, then remove the other MFA method. Unless I'm missing something, it seems an unnecessary step that doesn't improve security. Why can't you just setup a security key without having another MFA method setup first?

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
22,900 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. BANDELA Siri Chandana 1,315 Reputation points Microsoft Vendor
    2025-01-13T06:13:47.0833333+00:00

    Hi @Jon Kilner

    Thank you for posting your issue on Microsoft Q&A.

    I understand that you are trying to set up MFA for the break-glass accounts, setup the YubiKey. You are told that accounts first need to setup an alternative MFA method before the key can be enrolled.

    Yes, you need to Sign in with multifactor authentication (MFA) before adding a passkey, if you don't have at least one MFA method registered, you must add one. If not, there would be no way to verify the identity of the user attempting to enroll the YubiKey.

    To setup passkey it is mandatory to sign in with multi factor authentication.

    User's image

    Enabling more than one MFA method so that users have a backup method available in case their primary method is unavailable. Having an existing MFA method provides a security layer to protect the account during the YubiKey enrollment process.

    Hope this helps. Do let us know if you have any further queries.

    If this answers your query, do click `Accept Answer` and `Yes`.

    Thanks,

    B. Siri Chandana.


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.