Hey folks,
I'm in a bit of a bind and could really use your insights. Earlier this week, I needed to cancel a series of meetings using PowerShell. Since we recently rolled out FIDO2 for all our admin accounts, I attempted to log in through the Exchange Online PowerShell module, but I ran into issues with FIDO2.
Thinking I was being clever (this was after hours), I went ahead and removed myself from the group that had the FIDO2 settings enforced by our IT security admin. I also deleted the FIDO hash UID linked to my Yubikey from the FIDO2 authentication settings and disabled Yubikey authentication on my admin account. I still had other forms of MFA set up.
Somehow, I ended up locking out all admin accounts in the tenant! Thankfully, we had a break-glass account available, which still worked, so we avoided a complete disaster.
So my question is: how on earth did I manage to lock out all admin accounts? I didn't alter any settings other than on my own account.
4 Answers
Could it be that you have a conditional access policy that requires phishing-resistant MFA? If that's the case, when you altered your account, it might have unintentionally locked others out too.
When you removed the Yubikey AAGUID from the authentication methods policy, you could have disabled all keys of that model, not just yours. That would lock out everyone using that type of Yubikey.
It sounds like something else might have been triggered as well. You weren't just removing your access; perhaps there was another change in settings that affected how admin accounts authenticate?
Exactly! FIDO2 UID isn't tied to a specific device; it relates to the model. By removing the AAGUID, all keys of that type become unusable. For targeting specific keys, changes should be made in individual user authentication methods, not the conditional access settings.
That's interesting! But why do I see nearly 10 different AAGUIDs then?