seting security key(for ex: yubikey) as default sign-in method for azure user?

marbuna sells 36 Reputation points
2020-05-19T06:27:00.097+00:00

hi!

i have two questions about using a security key as MFA in my organization:

1.how can i set the security key as a default sign in method?

  1. how can i disable the option of using SMS as a MFA for just some users (those who have a security token) and let other users keep using SMS as MFA?
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,102 questions
0 comments No comments
{count} votes

Accepted answer
  1. Anuj Rana 211 Reputation points
    2020-05-19T19:00:32.25+00:00

    Please check answer of both the queries below :

    How can i set the security key as a default sign in method?

    You cannot set Security Key as default login option for users because not all Microsoft applications currently supports security Keys based sign-in. Eg : Azure AD PowerShell, Login to AzureAD/Office 365 services on IOS or even with Outlook/Teams etc running on windows. Security key (FIDO2) based sign-in is an optional feature and unless all Microsoft services are compatible with security key based login, it wont makes sense to force it. Alternatively, you can use MS authenticator app based sign in as default method as it is supported by all web and modern authentication supported clients.

    How can i disable the option of using SMS as a MFA for just some users (those who have a security token) and let other users keep using SMS as MFA?

    MFA methods can be set on tenant level which means if you want to disable SMS as MFA method, you can do it from MFA settings, however, it will remove this option for all users. I believe the best option will be to keep MFA methods like Authenticator App, OATH token ( Hard token ) and Phone call. SMS is anyways not considered as secured option and should be used only when other better options cannot be used.

    8439-mfa-method.png

    I hope this answer your queries, if not please let me know and i will try to help you further.


1 additional answer

Sort by: Most helpful
  1. Manu Philip 16,951 Reputation points MVP
    2020-05-19T07:22:15.827+00:00

    Hi @marbuna sells

    Following are the answers.

    1. Go to the below section.
      Azure Active Directory > Security > MFA > Getting started > Configure > Additional cloud-based MFA settings
      Select the required verification option(s)
    2. To setup different permissions for selected users, you may need to create user groups in AD and assign the required permissions to the group. Following link will guide you to go for a conditional access

    https://learn.microsoft.com/en-us/azure/active-directory/authentication/tutorial-enable-azure-mfa#create-a-conditional-access-policy

    Regards,
    Manu

    0 comments No comments