FIDO2 Passkey Fails to Satisfy Authentication Strength in Conditional Access

Question

Hi,

we are experiencing an issue with Conditional Access and authentication strength.

CA policy configuration:

• Users: All users (some excluded)

Target: All cloud apps Network: Any location Conditions: Not configured Grant: Grant access, require authentication strength (“require one of the selected controls”) Session: Sign-in frequency 20 days

Authentication strength includes:

FIDO2 passkey Certificate-Based Authentication Microsoft Authenticator (phone sign-in) Temporary Access Pass (one-time use) Password + Microsoft Authenticator (push)

Affected user has the following methods:

Email Phone number Software OATH token (TOTP) FIDO2 passkey

Additional settings:

System-preferred MFA: FIDO2 Default sign-in method (preview): TOTP

Issue:

Without CA policy: FIDO2 sign-in works

• With CA policy: sign-in fails right after entering email

Sign-in logs show: “Require Authentication Strength - baseline-auth-strength: The user could satisfy this authentication strength by registering for one or more MFA methods.”

Expectation: FIDO2 passkey is included in the authentication strength and should satisfy the policy.

Troubleshooting:

Verified FIDO2 works without CA Confirmed FIDO2 is included in the authentication strength Could not reproduce with other users

Why is the user prompted to register additional MFA methods even though a valid FIDO2 passkey is configured? Are there known scenarios where FIDO2 does not satisfy authentication strength in Conditional Access?

[Moved from Microsoft 365 and Office | Other]