From 0bac453e0830f215f7c645a1cf0d2ead52693960 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andr=C3=A9=20Queda?= Date: Mon, 20 Apr 2026 16:07:45 +0100 Subject: [PATCH 1/2] Update auth strengths known issues to include conflict with security info registration Document conflict between Auth strengths and 10-minute session requirement for security info registration, as well as potential solutions for it --- .../authentication/concept-authentication-strengths.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/docs/identity/authentication/concept-authentication-strengths.md b/docs/identity/authentication/concept-authentication-strengths.md index 853e15eaf2f..3adbfc694fd 100644 --- a/docs/identity/authentication/concept-authentication-strengths.md +++ b/docs/identity/authentication/concept-authentication-strengths.md @@ -100,6 +100,10 @@ Conditional Access administrators can also create custom authentication strength When the user unlocks their Windows device by using Windows Hello for Business, they can access the resource again. Yesterday's sign-in satisfies the authentication strength requirement, and today's device unlock satisfies the sign-in frequency requirement. +- **Authentication strength and registration of security info**: Registering security info requires an MFA session no older than 10 minutes, leading to an interactive request for MFA if such requirement isn't met. This can lead users to choose an MFA method that, when combined with the first factor authentication method previously used, doesn't satisfy the enforced authentication strength, resulting in the error *"Let’s try something else. Another sign-in method is required to access this resource. Close your browser and try again, but choose another way to sign-in"*. + + Changes can be made at the tenant level, such as enforcing "Sign-in frequency: every time" to the "Register security info" user action or enabling Passkeys for Windows Hello for Business users, or at the user level, such as ensuring they authenticate with a session at most 10 minutes old or ensuring they authenticate with a combination of methods included in the enforced Authentication Strength. + ## FAQ ### Should I use an authentication strength or the policy for authentication methods? From d5eff21ce76293ba62d8590187213751c515c7b8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andr=C3=A9=20Queda?= Date: Wed, 22 Apr 2026 11:19:09 +0100 Subject: [PATCH 2/2] second update to auth strengths known issues to reference registration of security info Removed mitigation/alternative --- docs/identity/authentication/concept-authentication-strengths.md | 1 - 1 file changed, 1 deletion(-) diff --git a/docs/identity/authentication/concept-authentication-strengths.md b/docs/identity/authentication/concept-authentication-strengths.md index 3adbfc694fd..70b003b543f 100644 --- a/docs/identity/authentication/concept-authentication-strengths.md +++ b/docs/identity/authentication/concept-authentication-strengths.md @@ -102,7 +102,6 @@ Conditional Access administrators can also create custom authentication strength - **Authentication strength and registration of security info**: Registering security info requires an MFA session no older than 10 minutes, leading to an interactive request for MFA if such requirement isn't met. This can lead users to choose an MFA method that, when combined with the first factor authentication method previously used, doesn't satisfy the enforced authentication strength, resulting in the error *"Let’s try something else. Another sign-in method is required to access this resource. Close your browser and try again, but choose another way to sign-in"*. - Changes can be made at the tenant level, such as enforcing "Sign-in frequency: every time" to the "Register security info" user action or enabling Passkeys for Windows Hello for Business users, or at the user level, such as ensuring they authenticate with a session at most 10 minutes old or ensuring they authenticate with a combination of methods included in the enforced Authentication Strength. ## FAQ