You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/active-directory/authentication/concept-certificate-based-authentication-technical-deep-dive.md
+16-16Lines changed: 16 additions & 16 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -76,22 +76,22 @@ Now we'll walk through each step:
76
76
77
77
## Certificate-based authentication is MFA capable
78
78
79
-
Microsoft Entra CBA is an MFA (multifactor authentication) capable method, that is Microsoft Entra CBA can be either Single (SF) or multifactor (MF) depending on the tenant configuration. Enabling CBA for a user indicates the user is potentially capable of MFA. This means a user may need additional configuration to get MFA and proof up to register other authentication methods when the user is in scope for CBA.
80
-
81
-
If CBA enabled user only has a Single Factor (SF) certificate and need MFA
82
-
1. Use Password + SF certificate.
83
-
1. Issue Temporary Access Pass (TAP)
84
-
1.Admin adds Phone Number to user account and allows Voice/text message method for user.
85
-
86
-
If CBA enabled user has not yet been issued a certificate and need MFA
87
-
1. Issue Temporary Access Pass (TAP)
88
-
1.Admin adds Phone Number to user account and allows Voice/text message method for user.
89
-
90
-
If CBA enabled user cannot use MF cert (such as on mobile device without smart card support) and need MFA
91
-
1. Issue Temporary Access Pass (TAP)
92
-
1. User Register another MFA method (when user can use MF cert)
93
-
1. Use Password + MF cert (when user can use MF cert)
94
-
1.Admin adds Phone Number to user account and allows Voice/text message method for user
79
+
Microsoft Entra CBA is capable of multifactor authentication (MFA) method. Microsoft Entra CBA can be either single-factor (SF) or multifactor (MF) depending on the tenant configuration. Enabling CBA makes a user potentially capable to complete MFA. A user may need more configuration to complete MFA, and proof up to register other authentication methods when the user is in scope for CBA.
80
+
81
+
If the CBA-enabled user only has a Single Factor (SF) certificate and needs to complete MFA:
82
+
1. Use a password and SF certificate.
83
+
1. Issue a Temporary Access Pass.
84
+
1.Authentication Policy Administrator adds a phone number and allows voice/text message authentication for the user account.
85
+
86
+
If the CBA-enabled user hasn't yet been issued a certificate and needs to complete MFA:
87
+
1. Issue a Temporary Access Pass.
88
+
1.Authentication Policy Administrator adds a phone number and allows voice/text message authentication for the user account.
89
+
90
+
If the CBA-enabled user can't use an MF cert, such as on mobile device without smart card support, and needs to complete MFA:
91
+
1. Issue a Temporary Access Pass.
92
+
1. User needs to register another MFA method (when user can use MF cert).
93
+
1. Use password and MF cert (when user can use MF cert).
94
+
1.Authentication Policy Administrator adds a phone number and allows voice/text message authentication for the user account.
95
95
96
96
97
97
## MFA with Single-factor certificate-based authentication
0 commit comments