An Azure AD Conditional Access Policy for Admins that requires a FIDO2 Security Key or Temporary Access Pass (TAP).

Suggested name:



Users and groups  
Include users CA-Persona-Admins
Exclude users Break-glass (emergency access) accounts

Cloud apps or actions

Cloud apps  
Include All cloud apps
Exclude Azure Credential Configuration Endpoint Service

Access controls

Grant access  
Require Authentication strength: FIDO2 or TAP (Multi-use)*

* Prerequisite: Define an Authentication Strength called ‘FIDO2 or TAP (Multi-use)’