Share via

Azure MA authentication: Can I configure MFA to use username/password as first and FIDO2 as second authentication method?

Wim 1 Reputation point
2022-02-21T08:32:57.147+00:00

Azure MA authentication: Can I configure MFA to use username/password as first and FIDO2 as second authentication method?
And if the answer is yes...
If azure MFA is used as second authentication method in ADFS (with ADFS plugin), does that also work with the FIDO2 as second authentication method?

Microsoft Security | Active Directory Federation Services
Microsoft Security | Microsoft Entra | Microsoft Entra ID
0 comments

3 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Simon Burbery 691 Reputation points
    2022-02-21T09:12:14.69+00:00

    Yes you can, that is how it works by default... the token is used for the 2nd factor (instead of phone) after entering user/password. Make sure the hardware token option is set as the default method under the user settings at https://myaccount.microsoft.com and the hardware token option is enabled in the MFA settings portal: https://account.activedirectory.windowsazure.com/UserManagement/MfaSettings.aspx

    Do you need ADFS for 365 or is it just there 'because'? I would look at running AD Connect and moving to password hash or pass-through auth for 365 (in a planned way of course!). You can still use ADFS if you require it for other apps. You can even create an Azure AD group and do a staged migration which allows you to put some test users into the group so they can test the change before you move all users across. https://portal.azure.com/#blade/Microsoft_AAD_IAM/StagedRolloutEnablementBladeV2

    If you have to keep ADFS make sure it is not using on-premises MFA server, move to using Azure MFA:
    https://learn.microsoft.com/en-us/azure/active-directory/authentication/how-to-migrate-mfa-server-to-azure-mfa-user-authentication

    0 comments
  2. Wim 1 Reputation point
    2022-02-24T13:41:20.677+00:00

    Hi Simon,

    Thank you for your feedback.
    For now we still have to deal with ADFS unfortunately:-(
    I am trying to achieve the MFA authentication with a Yubikey 5 NFC.
    for your info: I did not enable FIDO2 as authentication method within [Azure AD / Security / authenticition methods]. (assuming that it is not required and correct me if I am wrong)
    Within [Azure AD / Security / MFA / Configure Additional cloud-based MFA settings) the enabled methods are: message via mobiel app & verificationcode from mobile app or hardware token.

    With this settings I can configure the Yubico Authenticator App in combination with the Yubikey and this combination can be used to generate an OTP which can be used for MFA.
    But preferable we would like not to use the Yubico Authenticator.
    The preferable scenario would be the following MFA authentication: username/Password + placing yubikey in usb port.
    But is this possible and if yes...how?

    Wim

    0 comments
  3. Simon Burbery 691 Reputation points
    2022-02-25T04:15:41.287+00:00

    I see there is a link from that model to 'certificate based' auth with ADFS... not something I've done before - here are the links... looks like the Yubikey 5 is FIDO2 compliant, so you should be able to get it working. Need to know a bit more about your scenario. What OS are you on testing with? How is it working at the moment? Do you load a browser and log in then it prompts for the key only? ADFS may be doing SSO therefore you wouldn't get a prompt for username password, but you would get the 2nd prompt for the yubikey. Have you tried using an incognito window?
    Link: https://www.yubico.com/nz/setup/yubikey-5-series/
    Which links to: https://learn.microsoft.com/en-us/windows-server/identity/ad-fs/operations/configure-additional-authentication-methods-for-ad-fs

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.