Using conditional access policies, it's a 2-step process. On the Access controls\Grant, select Grant access\Require authentication strength\Multifactor authentication. We can't go straight to using strong auth yet, it requires the user to create an MFA first, then use that MFA to create FIDO2/passkeys.
On the user side, login to portal.office.com, it will prompt for the traditional UPN/password, then ask to creata MFA. We can use the Microsoft Authenticator here with the QR code presented, it will prompt number/OTP, and will use this MFA as the default 2nd factor sign-in method.
Go to mysignins.microsoft.com, Security info, you should see the password and Microsoft Authenticator, but this is still a non-phishing-resistant push notification. At this point, the user can add (1) Microsoft Authenticator passkey, or (2) security key such as yubikey.
If you run the PowerShell MG cmdlet for getting the authentication methods, you will see the same 2 items for this user.
Get-MgUserAuthenticationMethod -UserId <upn> | ForEach-Object {Write-Host $_.AdditionalProperties["@odata.type"] $_.AdditionalProperties.deviceTag}
#microsoft.graph.passwordAuthenticationMethod
#microsoft.graph.microsoftAuthenticatorAuthenticationMethod SoftwareTokenActivatedLet's add a passkey: Add sign-in method, Passkey in Microsoft Authenticator. This may prompt for an MFA using push notification (passkey requires an MFA auth in the last 5 minutes), if it does, go back to Security info. This is where the process got stuck for a moment, it auto prompted for the passkey creation but could not proceed for some reason, so I closed the prompt, and re-started the creation of a new sign-in method. This time the prompts proceeded and I just followed the instructions.
This is what mysignins.microsoft.com looks now, and it also defaulted the authentication method to this passkey. Running the PowerShell MG cmdlet shows the new passkey as well.
Get-MgUserAuthenticationMethod -UserId <upn> | ForEach-Object {Write-Host $_.AdditionalProperties["@odata.type"] $_.AdditionalProperties.deviceTag}
#microsoft.graph.passwordAuthenticationMethod
#microsoft.graph.fido2AuthenticationMethod
#microsoft.graph.microsoftAuthenticatorAuthenticationMethod SoftwareTokenActivatedWhen I login as this user account again, I can choose "Use your face, fingerprint, PIN, or security key instead", I get a QR code that I can scan with the Microsoft Authenticator passkey.
Requirement: this phishing resistant method requires proximity, in this case BLE (Bluetooth Low Energy) both the client device (Mac or Windows) and your mobile device (iOS or Android running the Microsoft Authenticator app) must have Bluetooth turned on at the time of authentication.
Now let's add Yubikey, I personally like this method as I find it less cumbersome than Microsoft Authenticator's passkey and you can pass this security key thru a VM or VDI, whereas it's technically more challenging with Bluetooth.
Go to mysignins.microsoft.com, Security info, Add sign-in method, Security key. In my case, I have a USB yubikey so I select USB, and followed the prompts (assuming you already setup the yubikey before and has an existing PIN). The proximity requirement is to simply touch the sensor on the yubikey. Again this is how it looks like in both GUI and PowerShell.
Get-MgUserAuthenticationMethod -UserId <upn> | ForEach-Object {Write-Host $_.AdditionalProperties["@odata.type"] $_.AdditionalProperties.deviceTag $_.AdditionalProperties["displayName"]}
#microsoft.graph.passwordAuthenticationMethod
#microsoft.graph.fido2AuthenticationMethod yubikey
#microsoft.graph.fido2AuthenticationMethod Authenticator: Default Profile
#microsoft.graph.microsoftAuthenticatorAuthenticationMethod SoftwareTokenActivated
Next, we go back to the conditional access policy and force strong authentication. On the Access controls\Grant, select Grant access\Require authentication strength\Phishing-resistant MFA.
On the user login, while the password prompt is still there it won't work, it goes straight to passkey or yubikey hence there's not a need to put in a password but click on the "Use your face, fingerprint, PIN, or security key instead" link.
Since the password/MFA option is no longer allowed, the user can fix that by changing the default method to "App based authentication or hardware token - code"
The login screen after putting in the user's email goes straight to either passkey or yubikey.
Or the admin can change that user setting to not show the password prompt via PowerShell MG. If the tenant setting for "MFA preferred" though is set to either "Microsoft Managed" or "Enabled", you won't be able to revert back to less secure MFA. As you can see below, the setting for isSystemPreferredAuthenticationMethodEnabled is set to True, and the image shows the tenant setting. You can exclude users that are members of a group to revert this back.
#-- Get the existing auth preferences
$u = Get-MgUser -UserId <upn>
$userid = $u.Id
$authprefs = Invoke-MgGraphRequest -Method GET -Uri "/beta/users/$userid/authentication/signinPreferences"
$authprefs | Format-Table -AutoSize
Name Value
---- -----
@odata.context https://graph.microsoft.com/beta/$metadata#users('c115921f-23f6-4b64-...
isSystemPreferredAuthenticationMethodEnabled True
systemPreferredAuthenticationMethod Fido2
userPreferredMethodForSecondaryAuthentication push
When excluded, the setting changes to this:
Name Value
---- -----
@odata.context https://graph.microsoft.com/beta/$metadata#users('c115921f-23f6-4b64-...
isSystemPreferredAuthenticationMethodEnabled False
systemPreferredAuthenticationMethod
userPreferredMethodForSecondaryAuthentication push
Doesn't look like I can set the strong-auth via PowerShell, so instead I created an Entra security group and used that for setting the system preference.
Name Value
---- -----
@odata.context https://graph.microsoft.com/beta/$metadata#users('c115921f-23f6-4b64-...
isSystemPreferredAuthenticationMethodEnabled True
systemPreferredAuthenticationMethod Fido2
userPreferredMethodForSecondaryAuthentication push
Link showing the authentication methods from Microsoft: How does system-preferred MFA determine the most secure method
No comments:
Post a Comment