question

almperez avatar image
0 Votes"
almperez asked MarileeTurscak-MSFT edited

Cannot use Microsoft Authenticator app

Hi,

On my company we are using Azure MFA and we have a secure area where employees cannot take phones there.
Using the phone call is not suitable because of security requirements. We are testing an USB Token and it works as expected, but I have 2 questions:

1) Is there a way to set the USB Token instead of phone number or Microsoft Authenticator as default?
2) Is it possible to use a fingerprint reader like the following one to authenticate users, storing the fingerprint on AD/Azure AD?

Thanks

dg2_00004_210_m.jpg


microsoft-authenticatorazure-ad-multi-factor-authentication
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

MarileeTurscak-MSFT avatar image
0 Votes"
MarileeTurscak-MSFT answered MarileeTurscak-MSFT edited
  1. Based on my research, you cannot set Security Key as the default login option for all users on everything, because not all Microsoft applications currently support security key-based sign-in. (For example, Azure AD PowerShell, login to Azure AD/Office 365 services on iOS, or even with Outlook/Teams running on Windows.) Security key (FIDO2) based sign-in is an optional feature and is not enforced since not all Microsoft services are compatible with security key based login.

Rather than changing the default, users can add the USB key and select "sign in another way". Or they could delete the other verification methods.

They do also have the option to specify a security key as the preferred method to open the lock screen. https://docs.microsoft.com/en-us/azure/active-directory/user-help/user-help-sign-in?toc=./toc.json#sign-in-using-a-security-key-at-the-lock-screen

105936-image.png

https://support.yubico.com/hc/en-us/articles/360015669179-Using-YubiKeys-with-Azure-MFA-OATH-TOTP
https://techcommunity.microsoft.com/t5/azure-active-directory-identity/hardware-oath-tokens-in-azure-mfa-in-the-cloud-are-now-available/ba-p/276466
https://www.reddit.com/r/sysadmin/comments/gwice3/microsoft_mfa_with_usb_key_as_default/

  1. Windows Hello for Business with Intune will allow users to authenticate using a fingerprint reader. If they do this they are required to have both biometrics and a pin set up. The data is stored on the local device though, and not stored in Azure.

"Windows Hello for Business is an alternative sign-in method that uses Active Directory or an Azure Active Directory account to replace a password, smart card, or a virtual smart card. It lets you use a user gesture to sign in, instead of a password. A user gesture might be a PIN, biometric authentication such as Windows Hello, or an external device such as a fingerprint reader."



image.png (237.6 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.