cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
151
Views
0
Helpful
1
Replies

DUO in Azure as FIDO2 security key vendor

Juraj Ban
Level 1
Level 1

Hi, 

I have tested DUO EAM integration and it's working (passkey is main feature of test) but utilizing Microsoft Conditional Access Policy there is a challenge -> it does not understand EAM integration as "Strong (Phishing resistant) authentication". It only satisfies MFA check but not strength. I also cannot enforce different policies based on Risk conditions from Microsoft side. 

If I take look at MS authenticator, they added it to FIDO2 security key vendor (GUIDs in code): https://learn.microsoft.com/en-us/entra/identity/authentication/concept-fido2-hardware-vendor

 

 

 

 

Enforce key restrictions should be set to Yes only if your organization wants to only allow or disallow certain passkeys, which are identified by their Authenticator Attestation GUID (AAGUID). If you want, you can manually enter the Authenticator app AAGUIDs or specifically restrict only Android or iOS devices. Otherwise, you can manually add the following AAGUIDs to enable the Authenticator passkey preview:
Authenticator for Android: de1e552d-db1d-4423-a619-566b625cdc84
Authenticator for iOS: 90a3ccdf-635c-4729-a248-9b709135078f

 

 

 

 

After that I can login with passkey and mobile phone without need for password. Is there on roadmap something like this with DUO authenticator (how MS created its authenticator as FIDO2 security key vendor) or better integration over EAM without the need to federate with DUO but to be able to login in Azure with "Sign-in Options -> Face, fingerprint, PIN or Security Key"?

 

1 Accepted Solution

Accepted Solutions

landyn
Cisco Employee
Cisco Employee

@Juraj Ban it is not yet possible to use Microsoft's "Authentication Strengths" feature with EAM, but they do plan to add it in the future. For now, you can use application or group policies in Duo to enforce stronger authentication methods.

It is also on Microsoft's roadmap for an EAM to be usable as a passwordless factor. We do not have timeframes for these but expect Microsoft to release these iterations over time.

View solution in original post

1 Reply 1

landyn
Cisco Employee
Cisco Employee

@Juraj Ban it is not yet possible to use Microsoft's "Authentication Strengths" feature with EAM, but they do plan to add it in the future. For now, you can use application or group policies in Duo to enforce stronger authentication methods.

It is also on Microsoft's roadmap for an EAM to be usable as a passwordless factor. We do not have timeframes for these but expect Microsoft to release these iterations over time.

Quick Links