Multi Tenant MFA with one FIDO2 Key

In my work I normally have accounts across at least 5 different Microsoft 365 tenants and that has gone as high as 40.  This can be a huge challenge when it comes to using the more secure methods of mutli factor authentication. 

Text messages codes are better than no MFA but not the most secure method.  Your mobile phone number is easily discovered and (apparently) is easy to hack to give those malicious actors visibility of the codes.  Given most of us don’t change our mobile phone number regularly and often include our mobile numbers in virtually every email we send, you can quickly see why as an MFA method, especially for admin accounts, its not the best option.  Tip: Use a secondary mobile phone number for your MFA if you have no other choice.

In my quest to avoid text messaging for MFA, I have been using the Microsoft Authenticator app, but needed an alternative other than text messages, especially for admin accounts.

I was fortunate enough to be sent a couple of different devices to test from Fetian and set about setting them up to test how they work with Microsoft 365.  The iePass and the AllinPass both provided the facilities I needed, however I decided that I preferred the AllinPass given its multiple connection type capabilities incl bluetooth.

Findings

Skipping straight to the end, I can tell you it is now working like a dream.  I just need to get more of the tenants I use to accept the security key method of MFA and I’ll be steaming through sign-ins without needing to remember passwords or even type usernames!  This is my new sign in experience with two accounts added, 4 very short steps and I’m authenticated.

Step 1: on Sign in page click Sign in Options

Step 2: Choose Sign in with a security key

Step 3: Put finger on fingerprint reader

Step 4: choose account and click OK

Fully logged in 😀

My Tests

The first step was to set up the key.  Task 1 – Download the app from the Microsoft Store

With the app installed, connect the key via a USB cable and click the Add Fingerprint to add the first fingerprint you wish to use.  Create the device pin at the prompt.  The Pin allows you to manage your key from a PC and easily change PCs and still manage/use the key.

 Once you have entered your pin you will need to press the fingerprint sensor to complete set up

Next we’ll add the device so the PC know it can use it for sign in to apps.  In Windows Settings, navigate to Account then Sign in Options and expand the Security Key section, click Manage then authenticate on your key.

If you want to use the key on a different PC, just repeat adding it Windows. And before you ask, yes it’s the same process and works just as well in Windows 11

On to Microsoft 365.  You need to navigate to your Security Info page at https://mysignins.microsoft.com/security-info and choose Add method then pick Security key and click Add.  At this point you may be prompted to sign in to your account again using MFA and will have to repeat this step once you are signed in.

Choose the key type.  For my PC I decided to stick with USB.

If USB, you will be prompted to connect your key.

Follow the prompts, some of which just flash up on screen too quick to screen grab! And then you will be prompted to authenticate on your key, in my case by fingerprint.

Give your key a name, in case you end up using multiple keys

You are all set up.

I would recommend opening a private or guest browsing windows to test sign in.

With only one Microsoft 365 account it’s a simple 3 step process:

Step 1: on Sign in page click Sign in Options

Step 2: Choose Sign in with a security key

Step 3: Put finger on fingerprint reader

Fully logged in 😀

If you have multiple accounts repeat the process for each and test as you go.  This is the sign in process with two accounts.  When you add more, you simply have more accounts to choose from.

Step 1: on Sign in page click Sign in Options

Step 2: Choose Sign in with a security key

Step 3: Put finger on fingerprint reader

Step 4: choose account and click OK

Fully logged in 😀

To default your MFA to request authentication from the key,  navigate to your Security Info page at https://mysignins.microsoft.com/security-info and choose Change next to default method and choose your preferred security key.

Tenant Set Up

Assuming you already have MFA enabled in your Microsoft 365 tenant you just need to enable FIDO2 Security Key method.  Navigate to https://portal.azure.com/#blade/Microsoft_AAD_IAM/AuthenticationMethodsMenuBlade/AdminAuthMethods (in your Azure AD Portal, choose Security then Authentication methods if the link doesn’t work for you)

Select the FIDO2 Security Key line

Change enable setting to Yes and either All Users or select users and choose users or groups who can use a security key, then click Save

If your Microsoft 365 tenant does NOT yet have MFA enabled.  Once you have allowed the required methods (you need at least two) navigate to the Active Users page in the Microsoft 365 Admin Center and choose Multi-factor authentication

I would recommend enabling for a small number of test users first, but you can select any number of users  at once, or all and click Enable link

Click Enable multi-factor authentication button.

As the box says. if your users do not regularly sign in through the browser, you can direct them to this link to register for multi-factor authentication: https://aka.ms/MFASetup

Once you are done, get a test user to sign in to the browser or use the https://aka.ms/MFASetup in order to configure mutli factor authentication for themselves, which can include the security key

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s