09-18-2024 06:57 AM
Hi,
I have tested DUO EAM integration and it's working (passkey is main feature of test) but utilizing Microsoft Conditional Access Policy there is a challenge -> it does not understand EAM integration as "Strong (Phishing resistant) authentication". It only satisfies MFA check but not strength. I also cannot enforce different policies based on Risk conditions from Microsoft side.
If I take look at MS authenticator, they added it to FIDO2 security key vendor (GUIDs in code): https://learn.microsoft.com/en-us/entra/identity/authentication/concept-fido2-hardware-vendor
Enforce key restrictions should be set to Yes only if your organization wants to only allow or disallow certain passkeys, which are identified by their Authenticator Attestation GUID (AAGUID). If you want, you can manually enter the Authenticator app AAGUIDs or specifically restrict only Android or iOS devices. Otherwise, you can manually add the following AAGUIDs to enable the Authenticator passkey preview:
Authenticator for Android: de1e552d-db1d-4423-a619-566b625cdc84
Authenticator for iOS: 90a3ccdf-635c-4729-a248-9b709135078f
After that I can login with passkey and mobile phone without need for password. Is there on roadmap something like this with DUO authenticator (how MS created its authenticator as FIDO2 security key vendor) or better integration over EAM without the need to federate with DUO but to be able to login in Azure with "Sign-in Options -> Face, fingerprint, PIN or Security Key"?
Solved! Go to Solution.
09-19-2024 08:24 AM
@Juraj Ban it is not yet possible to use Microsoft's "Authentication Strengths" feature with EAM, but they do plan to add it in the future. For now, you can use application or group policies in Duo to enforce stronger authentication methods.
It is also on Microsoft's roadmap for an EAM to be usable as a passwordless factor. We do not have timeframes for these but expect Microsoft to release these iterations over time.
09-19-2024 08:24 AM
@Juraj Ban it is not yet possible to use Microsoft's "Authentication Strengths" feature with EAM, but they do plan to add it in the future. For now, you can use application or group policies in Duo to enforce stronger authentication methods.
It is also on Microsoft's roadmap for an EAM to be usable as a passwordless factor. We do not have timeframes for these but expect Microsoft to release these iterations over time.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide