You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/active-directory/authentication/concept-certificate-based-authentication-technical-deep-dive.md
+5-11Lines changed: 5 additions & 11 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -74,30 +74,24 @@ Now we'll walk through each step:
74
74
75
75
## Certificate-based authentication is MFA capable
76
76
77
-
Azure AD CBA is an MFA (Multi factor authentication) capable method, that is Azure AD CBA can be either Single (SF) or Multi-factor (MF) depending on the tenant configuration. Enabling CBA for a user indicates the user is potentially capable of MFA. This means a user may need additional configuration to proof up to register other authentication methods when the user is in scope for CBA.
77
+
Azure AD CBA is an MFA (Multi factor authentication) capable method, that is Azure AD CBA can be either Single (SF) or Multi-factor (MF) depending on the tenant configuration. Enabling CBA for a user indicates the user is potentially capable of MFA. This means a user may need additional configuration to get MFA and proof up to register other authentication methods when the user is in scope for CBA.
78
78
79
-
This can happen when:
80
-
81
-
If CBA enabled user only has a Single Factor (SF) certificate
82
-
To unblock user:
83
-
1. Use Password + SF certificate.
79
+
If CBA enabled user only has a Single Factor (SF) certificate and need MFA
80
+
1. Use Password + SF certificate.
84
81
1. Issue Temporary Access Pass (TAP)
85
82
1. Admin adds Phone Number to user account and allows Voice/SMS method for user.
86
83
87
-
If CBA enabled user but has not yet been issued a certificate
88
-
To unblock user:
84
+
If CBA enabled user has not yet been issued a certificate and need MFA
89
85
1. Issue Temporary Access Pass (TAP)
90
86
1. Admin adds Phone Number to user account and allows Voice/SMS method for user.
91
87
92
-
If CBA enabled user cannot use MF cert (such as on mobile device without smart card support)
93
-
To unblock user:
88
+
If CBA enabled user cannot use MF cert (such as on mobile device without smart card support) and need MFA
94
89
1. Issue Temporary Access Pass (TAP)
95
90
1. User Register another MFA method (when user can use MF cert)
96
91
1. Use Password + MF cert (when user can use MF cert)
97
92
1. Admin adds Phone Number to user account and allows Voice/SMS method for user
98
93
99
94
100
-
101
95
## MFA with Single-factor certificate-based authentication
102
96
103
97
Azure AD CBA can be used as a second factor to meet MFA requirements with single-factor certificates. The supported combintaions are
![prmerger-automator[bot]](https://avatars.githubusercontent.com/u/22479449?v=4&size=40){kind=avatar}
0 commit comments