I recently received a new FIDO2 security key from AuthenTrend and wanted to register the key via the Security Info page. But to my surprise, the security key method was missing to add as an authentication option.
I was pretty sure I already configured the requirements in this lab tenant to support FIDO2 security keys. To be sure I checked the Authentication methods in the Azure portal. Indeed FIDO2 Security Key is enabled for All users.
I also checked if the Combined security information registration experience is enabled. And it is.
After scratching my head a few times and checking the documentation (and my own FIDO2 blog posts), I still had no clue what`s missing in my configuration. I opened a support case where I was helped pretty soon.
The fix was pretty easy and the engineer informed me it wasn`t me who missed a setting, but “this was due to some patch update why the setting was disappeared”.
The solution is to set the isSelfServiceRegistrationAllowed value for FIDO2 to TRUE via Graph Explorer. Below the steps which we took to solve this issue.
Open and sign-in to Graph Explorer.
Make sure the request type is set to GET.
Enter this URL and hit Run query:
If you get a Forbidden – 403 error as I did, we first need to set the permissions.
Hit the settings button right next to your account name and click Select permissions.
Search for Policy.ReadWrite.AuthenticationMethod.
Select Policy.ReadWrite.AuthenticationMethod and hit Consent.
Select Consent on behalf of your organization and click Accept.
Run the GET query again and you see isSelfServiceRegistrationAllowed is set to FALSE.
To change the value to TRUE enter this in the Request body field:
Set the request type to Patch and hit run query.
The result isSelfServiceRegistrationAllowed is set to True.
And immediately after setting the value to true, via Security info I`m able to add a Security key as authentication method.
My question is how do you get the security token option available when users setup MFA for the first time via aka.ms/mfasetup? If you set it up with Authenticator first you then have the option to had a security key once signed into your profile. I want it to be an option when setting up for the first time.