Update auth strengths known issues to include conflict with security …#1950
Update auth strengths known issues to include conflict with security …#1950andrequeda wants to merge 2 commits intoMicrosoftDocs:mainfrom
Conversation
…info registration Document conflict between Auth strengths and 10-minute session requirement for security info registration, as well as potential solutions for it
|
@andrequeda : Thanks for your contribution! The author(s) and reviewer(s) have been notified to review your proposed change. |
prmerger-automator
Bot
added
authentication/subsvc
Change sent to author
entra-id/svc
labels
|
Learn Build status updates of commit 0bac453: ✅ Validation status: passed
For more details, please refer to the build report. |
namkedia
left a comment
namkedia
left a comment
There was a problem hiding this comment.
Please make edits to the documentation
|
|
||
| When the user unlocks their Windows device by using Windows Hello for Business, they can access the resource again. Yesterday's sign-in satisfies the authentication strength requirement, and today's device unlock satisfies the sign-in frequency requirement. | ||
|
|
||
| - **Authentication strength and registration of security info**: Registering security info requires an MFA session no older than 10 minutes, leading to an interactive request for MFA if such requirement isn't met. This can lead users to choose an MFA method that, when combined with the first factor authentication method previously used, doesn't satisfy the enforced authentication strength, resulting in the error *"Let’s try something else. Another sign-in method is required to access this resource. Close your browser and try again, but choose another way to sign-in"*. |
There was a problem hiding this comment.
What does registering security info here mean? Accessing security info requires an MFA session no older than 10 mins
There was a problem hiding this comment.
Registering authentication methods in aka.ms/mysecurityinfo. It's the expression used in other docs and even in audit logs. See https://learn.microsoft.com/en-us/entra/identity/authentication/howto-registration-mfa-sspr-combined-troubleshoot for reference.
There was a problem hiding this comment.
Would it help to hyperlink https://learn.microsoft.com/en-us/entra/identity/authentication/concept-registration-mfa-sspr-combined on that "registering security info" text?
|
|
||
| - **Authentication strength and registration of security info**: Registering security info requires an MFA session no older than 10 minutes, leading to an interactive request for MFA if such requirement isn't met. This can lead users to choose an MFA method that, when combined with the first factor authentication method previously used, doesn't satisfy the enforced authentication strength, resulting in the error *"Let’s try something else. Another sign-in method is required to access this resource. Close your browser and try again, but choose another way to sign-in"*. | ||
|
|
||
| Changes can be made at the tenant level, such as enforcing "Sign-in frequency: every time" to the "Register security info" user action or enabling Passkeys for Windows Hello for Business users, or at the user level, such as ensuring they authenticate with a session at most 10 minutes old or ensuring they authenticate with a combination of methods included in the enforced Authentication Strength. |
There was a problem hiding this comment.
The remediation action is not clear. Please use links to existing documentation as this states system knowledge that readers might not have.
There was a problem hiding this comment.
Might be better to remove it all together, as remediation/alternative is complex and highly-tenant specific (a guide covering it all could well be a separated doc and would be very consulting-like)
There was a problem hiding this comment.
Pull request overview
Adds a new “Known issue” to the Conditional Access authentication strengths documentation to explain a conflict between authentication strengths enforcement and the 10-minute MFA session requirement for security info registration, and outlines tenant/user-level mitigations.
Changes:
- Documented the conflict scenario and resulting user-facing error when the chosen MFA method doesn’t satisfy the enforced authentication strength.
- Added suggested mitigation options (policy configuration and user guidance) for resolving the conflict.
|
|
||
| When the user unlocks their Windows device by using Windows Hello for Business, they can access the resource again. Yesterday's sign-in satisfies the authentication strength requirement, and today's device unlock satisfies the sign-in frequency requirement. | ||
|
|
||
| - **Authentication strength and registration of security info**: Registering security info requires an MFA session no older than 10 minutes, leading to an interactive request for MFA if such requirement isn't met. This can lead users to choose an MFA method that, when combined with the first factor authentication method previously used, doesn't satisfy the enforced authentication strength, resulting in the error *"Let’s try something else. Another sign-in method is required to access this resource. Close your browser and try again, but choose another way to sign-in"*. |
There was a problem hiding this comment.
The first sentence in this known-issue bullet is a long, hard-to-parse chain of clauses ("requires… leading… if…"). Consider rewriting as 2–3 shorter, active-voice sentences (for example: explain the 10-minute MFA requirement, then the resulting MFA prompt, then how that can fail the enforced authentication strength) to improve readability and reduce ambiguity.
| - **Authentication strength and registration of security info**: Registering security info requires an MFA session no older than 10 minutes, leading to an interactive request for MFA if such requirement isn't met. This can lead users to choose an MFA method that, when combined with the first factor authentication method previously used, doesn't satisfy the enforced authentication strength, resulting in the error *"Let’s try something else. Another sign-in method is required to access this resource. Close your browser and try again, but choose another way to sign-in"*. | |
| - **Authentication strength and registration of security info**: Registering security info requires an MFA session that's no older than 10 minutes. If the session is older than 10 minutes, the user is prompted to complete MFA interactively. The user might then choose an MFA method that, when combined with the previously used first-factor authentication method, doesn't satisfy the enforced authentication strength. This results in the error *"Let’s try something else. Another sign-in method is required to access this resource. Close your browser and try again, but choose another way to sign-in"*. |
|
|
||
| - **Authentication strength and registration of security info**: Registering security info requires an MFA session no older than 10 minutes, leading to an interactive request for MFA if such requirement isn't met. This can lead users to choose an MFA method that, when combined with the first factor authentication method previously used, doesn't satisfy the enforced authentication strength, resulting in the error *"Let’s try something else. Another sign-in method is required to access this resource. Close your browser and try again, but choose another way to sign-in"*. | ||
|
|
||
| Changes can be made at the tenant level, such as enforcing "Sign-in frequency: every time" to the "Register security info" user action or enabling Passkeys for Windows Hello for Business users, or at the user level, such as ensuring they authenticate with a session at most 10 minutes old or ensuring they authenticate with a combination of methods included in the enforced Authentication Strength. |
There was a problem hiding this comment.
This sentence references UI settings/actions in quotes and with slightly unclear phrasing ("enforcing "Sign-in frequency: every time" to the "Register security info" user action"). Consider using the doc convention of bolding UI labels and describing the configuration as setting Sign-in frequency to Every time for the Register security info user action (and use "for" rather than "to").
| Changes can be made at the tenant level, such as enforcing "Sign-in frequency: every time" to the "Register security info" user action or enabling Passkeys for Windows Hello for Business users, or at the user level, such as ensuring they authenticate with a session at most 10 minutes old or ensuring they authenticate with a combination of methods included in the enforced Authentication Strength. | |
| Changes can be made at the tenant level, such as setting **Sign-in frequency** to **Every time** for the **Register security info** user action or enabling Passkeys for Windows Hello for Business users, or at the user level, such as ensuring they authenticate with a session at most 10 minutes old or ensuring they authenticate with a combination of methods included in the enforced Authentication Strength. |
|
|
||
| - **Authentication strength and registration of security info**: Registering security info requires an MFA session no older than 10 minutes, leading to an interactive request for MFA if such requirement isn't met. This can lead users to choose an MFA method that, when combined with the first factor authentication method previously used, doesn't satisfy the enforced authentication strength, resulting in the error *"Let’s try something else. Another sign-in method is required to access this resource. Close your browser and try again, but choose another way to sign-in"*. | ||
|
|
||
| Changes can be made at the tenant level, such as enforcing "Sign-in frequency: every time" to the "Register security info" user action or enabling Passkeys for Windows Hello for Business users, or at the user level, such as ensuring they authenticate with a session at most 10 minutes old or ensuring they authenticate with a combination of methods included in the enforced Authentication Strength. |
There was a problem hiding this comment.
There are a couple of capitalization inconsistencies here compared to earlier usage in this article: "Passkeys" is capitalized while the prior example uses "passkey", and "Authentication Strength" is capitalized even though it's used as a generic concept in this sentence. Align the capitalization (for example, "passkeys" / "authentication strength") unless you’re intentionally referring to a specific UI label.
| Changes can be made at the tenant level, such as enforcing "Sign-in frequency: every time" to the "Register security info" user action or enabling Passkeys for Windows Hello for Business users, or at the user level, such as ensuring they authenticate with a session at most 10 minutes old or ensuring they authenticate with a combination of methods included in the enforced Authentication Strength. | |
| Changes can be made at the tenant level, such as enforcing "Sign-in frequency: every time" to the "Register security info" user action or enabling passkeys for Windows Hello for Business users, or at the user level, such as ensuring they authenticate with a session at most 10 minutes old or ensuring they authenticate with a combination of methods included in the enforced authentication strength. |
|
Can you review the proposed changes? IMPORTANT: When the changes are ready for publication, adding a #label:"aq-pr-triaged" |
…n of security info Removed mitigation/alternative
| - **Authentication strength and registration of security info**: Registering security info requires an MFA session no older than 10 minutes, leading to an interactive request for MFA if such requirement isn't met. This can lead users to choose an MFA method that, when combined with the first factor authentication method previously used, doesn't satisfy the enforced authentication strength, resulting in the error *"Let’s try something else. Another sign-in method is required to access this resource. Close your browser and try again, but choose another way to sign-in"*. | ||
|
|
||
| Changes can be made at the tenant level, such as enforcing "Sign-in frequency: every time" to the "Register security info" user action or enabling Passkeys for Windows Hello for Business users, or at the user level, such as ensuring they authenticate with a session at most 10 minutes old or ensuring they authenticate with a combination of methods included in the enforced Authentication Strength. | ||
|
|
|
Learn Build status updates of commit d5eff21: ✅ Validation status: passed
For more details, please refer to the build report. |
…info registration
Document conflict between Auth strengths and 10-minute session requirement for security info registration, as well as potential solutions for it