Update auth strengths known issues to include conflict with security … #1950
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change | ||||
|---|---|---|---|---|---|---|
|
|
@@ -100,6 +100,9 @@ Conditional Access administrators can also create custom authentication strength | |||||
|
|
||||||
| When the user unlocks their Windows device by using Windows Hello for Business, they can access the resource again. Yesterday's sign-in satisfies the authentication strength requirement, and today's device unlock satisfies the sign-in frequency requirement. | ||||||
|
|
||||||
| - **Authentication strength and registration of security info**: Registering security info requires an MFA session no older than 10 minutes, leading to an interactive request for MFA if such requirement isn't met. This can lead users to choose an MFA method that, when combined with the first factor authentication method previously used, doesn't satisfy the enforced authentication strength, resulting in the error *"Let’s try something else. Another sign-in method is required to access this resource. Close your browser and try again, but choose another way to sign-in"*. | ||||||
|
There was a problem hiding this comment. The first sentence in this known-issue bullet is a long, hard-to-parse chain of clauses ("requires… leading… if…"). Consider rewriting as 2–3 shorter, active-voice sentences (for example: explain the 10-minute MFA requirement, then the resulting MFA prompt, then how that can fail the enforced authentication strength) to improve readability and reduce ambiguity.
Suggested change
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
| ## FAQ | ||||||
|
|
||||||
| ### Should I use an authentication strength or the policy for authentication methods? | ||||||
|
|
||||||
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What does registering security info here mean? Accessing security info requires an MFA session no older than 10 mins
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Registering authentication methods in aka.ms/mysecurityinfo. It's the expression used in other docs and even in audit logs. See https://learn.microsoft.com/en-us/entra/identity/authentication/howto-registration-mfa-sspr-combined-troubleshoot for reference.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Would it help to hyperlink https://learn.microsoft.com/en-us/entra/identity/authentication/concept-registration-mfa-sspr-combined on that "registering security info" text?