CBA, MFA, and AADSTS54008 Certificate is not supported as first factor

New Contributor

Greetings All,


I'm trying to get CBA MFA working for Azure AD, exchange online specifically, but I can't get past the following error:  AADSTS54008:  Multi-Factor authentication is required and the credential used (Certificate) is not supported as a First Factor.  Obviously, I have something configured incorrectly.  Does anyone have a suggestion?


What I'm trying to achieve is have our users login to Outlook online with their username and password and then have the option to select a user certificate as their second form of authentication.




4 Replies
When you configure CBA, you can define whether it's to be used as single- or multi-factor, so check for that. The Protection level toggle under auth methods > CBA > Configure.
Understood. I've set up two rules, which as I understand it, renders the toggle useless. I also have a conditional policy requiring MFA for the same users configured for Certificate-based authentication. If I remove the conditional access policy from the users, the authentication works and there is no error, but users can also sign in using their password only, which is unacceptable. I have to be missing something somewhere. As soon as I reinstate the conditional access policy, the error returns.

@KingBear @Vasil Michev 

Did you sort this out?

I encounter the same error in my test tenant, the user certificate is successfully mapped to my user.

If I switch the protection level over to "multifactor authentication" I get signed in without MFA prompt.


When I attempt to sign in with the protection level set to "single-factor authentication", sign-in fails with the error AADSTS54008: Multi-Factor authentication is required and the credential used (Certificate) is not supported as a First Factor. Contact your administrator for more information.

@manshellstrom   Yes sir.  The settings below work as desired for my tenant. 




Be sure to check that you don't have any of policies in your tenant that may be conflicting.