CA Policy for Admins Requiring a FIDO2 Security Key or Temporary Access Pass
An Azure AD Conditional Access Policy for Admins that requires a FIDO2 Security Key or Temporary Access Pass (TAP).
Suggested name:
CA1{XX}-Admins-BaseProtection-AllApps-FIDO2orTAP
Assignments
Users
| Users and groups | |
|---|---|
| Include users | CA-Persona-Admins |
| Exclude users | Break-glass (emergency access) accounts |
Cloud apps or actions
| Cloud apps | |
|---|---|
| Include | All cloud apps |
| Exclude | Azure Credential Configuration Endpoint Service |
Access controls
| Grant access | |
|---|---|
| Require | Authentication strength: FIDO2 or TAP (Multi-use)* |
* Prerequisite: Define an Authentication Strength called ‘FIDO2 or TAP (Multi-use)’