Merge pull request #96388 from FrankBoylan92/patch-5

Jak-MS · web-flow · commit 457aefdd2a76 · 2022-08-01T13:44:00.000-07:00
Note on WHfB and Step-up Authentication
diff --git a/articles/active-directory/authentication/concept-authentication-methods.md b/articles/active-directory/authentication/concept-authentication-methods.md
@@ -62,7 +62,7 @@ The following table outlines when an authentication method can be used during a
 
 | Method                         | Primary authentication | Secondary authentication  |
 |--------------------------------|:----------------------:|:-------------------------:|
-| Windows Hello for Business     | Yes                    | MFA                       |
+| Windows Hello for Business     | Yes                    | MFA\*                      |
 | Microsoft Authenticator app    | Yes                    | MFA and SSPR              |
 | FIDO2 security key             | Yes                    | MFA                       |
 | OATH hardware tokens (preview) | No                     | MFA and SSPR              |
@@ -71,6 +71,8 @@ The following table outlines when an authentication method can be used during a
 | Voice call                     | No                     | MFA and SSPR              |
 | Password                       | Yes                    |                           |
 
+> \* Windows Hello for Business, by itself, does not serve as a step-up MFA credential. For example, an MFA Challenge from Sign-in Frequency or SAML Request containing forceAuthn=true. Windows Hello for Business can serve as a step-up MFA credential by being used in FIDO2 authentication. This requires users to be enabled for FIDO2 authentication to work sucessfully.
+
 All of these authentication methods can be configured in the Azure portal, and increasingly using the [Microsoft Graph REST API](/graph/api/resources/authenticationmethods-overview).
 
 To learn more about how each authentication method works, see the following separate conceptual articles:
