@Stefan Lobbenmeier Posting for community.
After taking this offline and with further investigation it was found to a generic scenario of how Azure AD handles the CSRF attack and how it uses user session information from the cookies it deploys.
The behavior here is expected and there should be a way of letting AAD know about the user while doing FIDO.
FIDO2 not accepted as first login to managed application in Azure Active Directory - AADSTS165000
I am developing a FIDO2 login for our printers to Microsoft Azure Active Directory. The application uses an OIDC Authentication Flow where the user can log in to the Microsoft Login Page using a FIDO2 Security Key.
Today during testing we noticed that the first login to the application registered in azure of any user is not allowed to be by a FIDO2 card but has to be a email + password. Otherwise, the first login will show an error screen to the user: AADSTS165000 Invalid Request
After logging in to our application with the email and password the Fido2 login is also accepted for future logins. But for our customer it is not acceptable to require one manual login.
Information regarding the Azure AD I used:
License
Azure AD for Office 365
Tenant ID
7b7019a0-64f1-444b-b8d4-70cb72cd902b
Primary domain
******.onmicrosoft.com
Screenshots from the Error:
1 answer
Sort by: Most helpful
-
VipulSparsh-MSFT 16,271 Reputation points Microsoft Employee
2021-05-25T06:51:08.437+00:00