cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

CBA, MFA, and AADSTS54008 Certificate is not supported as first factor

KingBear
New Contributor

‎May 24 2022 08:50 AM - edited ‎May 24 2022 09:22 AM

‎May 24 2022 08:50 AM - edited ‎May 24 2022 09:22 AM

CBA, MFA, and AADSTS54008 Certificate is not supported as first factor

Greetings All,

 

I'm trying to get CBA MFA working for Azure AD, exchange online specifically, but I can't get past the following error:  AADSTS54008:  Multi-Factor authentication is required and the credential used (Certificate) is not supported as a First Factor.  Obviously, I have something configured incorrectly.  Does anyone have a suggestion?

 

What I'm trying to achieve is have our users login to Outlook online with their username and password and then have the option to select a user certificate as their second form of authentication.

 

Regards,

KB

538 Views
0 Likes
4 Replies
Reply
4 Replies
Vasil Michev

‎May 24 2022 09:24 AM

‎May 24 2022 09:24 AM

Re: CBA, MFA, and AADSTS54008 Certificate is not supported as first factor

When you configure CBA, you can define whether it's to be used as single- or multi-factor, so check for that. The Protection level toggle under auth methods > CBA > Configure.
0 Likes
Reply
KingBear

‎May 24 2022 09:44 AM

‎May 24 2022 09:44 AM

Re: CBA, MFA, and AADSTS54008 Certificate is not supported as first factor

Understood. I've set up two rules, which as I understand it, renders the toggle useless. I also have a conditional policy requiring MFA for the same users configured for Certificate-based authentication. If I remove the conditional access policy from the users, the authentication works and there is no error, but users can also sign in using their password only, which is unacceptable. I have to be missing something somewhere. As soon as I reinstate the conditional access policy, the error returns.
0 Likes
Reply
manshellstrom

‎Aug 05 2022 04:47 AM

‎Aug 05 2022 04:47 AM

Re: CBA, MFA, and AADSTS54008 Certificate is not supported as first factor

@KingBear @Vasil Michev 

Did you sort this out?

I encounter the same error in my test tenant, the user certificate is successfully mapped to my user.

If I switch the protection level over to "multifactor authentication" I get signed in without MFA prompt.

 

When I attempt to sign in with the protection level set to "single-factor authentication", sign-in fails with the error AADSTS54008: Multi-Factor authentication is required and the credential used (Certificate) is not supported as a First Factor. Contact your administrator for more information.

0 Likes
Reply
KingBear

‎Aug 05 2022 05:28 AM

‎Aug 05 2022 05:28 AM

Re: CBA, MFA, and AADSTS54008 Certificate is not supported as first factor

@manshellstrom   Yes sir.  The settings below work as desired for my tenant. 

 

Clipboard01.png

 

Be sure to check that you don't have any of policies in your tenant that may be conflicting. 

0 Likes
Reply