The RSA MFA Agent for Microsoft Windows version 2.4 and later enables passwordless authentication for users on Microsoft Entra ID-joined and hybrid-joined devices. The agent uses Microsoft Entra ID trusted RSA Certificate Authority (CA) certificates to provide secure, passwordless sign-in.

Users must register a FIDO Passkey or RSA Authenticator, in addition to their Entra ID password during the first authentication. Subsequent authentications require only a registered passwordless method.

The agent creates a Microsoft Virtual Smart Card and enrolls it with a sign-in certificate to achieve passwordless authentication. Users can also perform additional authentication when accessing Windows computers or User Account Control.

Supported passwordless methods include FIDO Passkey, QR Code, Mobile Passkey, Device Biometrics, and Emergency Access Code.

Microsoft Entra ID user accounts can be protected by the RSA MFA Agent for additional security. Passwordless authentication is supported when the agent connects directly to Cloud Access Service (CAS), or in hybrid deployments that use Authentication Manager (AM) 8.9, scheduled for release in early 2026.

Configure Microsoft Entra ID Joined Machines for the RSA MFA Agent

Before installing the agent, you must follow the steps below to configure your Windows machines.

Procedure

1. Register an Application:
   1. To register a new application in Microsoft Entra ID, go to Azure Home > Microsoft Entra ID > Overview > Manage > App registrations and then click New registration. Fill in the required fields. Under Supported account types, choose the application access type based on your account type.
      
   2. Copy the parameters such as Tenant ID and Client ID for the application.
      
   3. Generate a Client Secret for this application. From the left-side pane, click Manage > Certificates & secrets. Click New client secret. You will be prompted to add the client secret with a description and certificate expiry days. After providing the required data, the client secret will be generated and displayed under Client Secret in the Value column. Client Secret values cannot be viewed only immediately after creation. Be sure to save the secret when created before leaving the page. These values can also be securely stored in Azure Key Vault.
      
   4. Assign the minimum permissions User.Read.All and Group.Read.All to the application.
      
2. Generate and Configure the Template File:
   For Microsoft Entra ID joined devices, agent settings can be configured using the file generated below. Agent configuration settings for Microsoft Entra ID joined devices are not set through GPO settings.
   1. Open the command prompt as an administrator.
   2. Run the following command to generate a template text file: $ RSA_MFA_Agent_Config_Utility_For_Microsoft_Entra_ID.exe -g <text file name e.g. RSA_MFA_Agent_Config.txt> This command creates a template text file <text file name> which contains the key-value pairs needed for the RSA MFA Agent.
   3. Open the generated text file and update the values for these new keys from the details noted in Step 1. Enable the settings by enabling the flag as shown in the example below:
      
      Note: Support for Microsoft Entra ID Government was introduced in RSA MFA Agent 2.3.6. In earlier versions, AzureCloudRegion is set to Public by default, and it can be configured as Public or Government only from version 2.3.6 onwards.
   4. Set the ChallengeGroupName registry key value to: ChallengeGroupName=<AD Name e.g.MSEntraID>\<challenge-group-name>
      
      • Replace <challenge-group-name> with the appropriate challenge group name from the Azure portal. 
        For more information, see Create a Group of Users to Challenge with RSA Credentials in the latest Installation and Administration Guide.
        
3. Configure Passwordless Authentication for Entra ID Devices:
   1. Complete the required steps to configure CAS and Microsoft Entra ID for passwordless authentication for Entra ID devices, as detailed in Configure Passwordless Authentication for Microsoft Entra ID Joined Machines in the Installation and Administration Guide.
   2. Configure the agent settings using the template text file generated in Step 2. The values of the following keys need to be configured to enable passwordless authentication:
      1. Azure Tenant ID, Azure Client ID, Azure Client Secret, Azure Cloud Region
      2. RSA Authentication API Key, RSA Authentication API REST URL
      3. Cloud Access Service Access Policy
      4. Cloud Access Service Public Key for Passwordless Authentication
      5. RSA Authentication OAuth2 Client ID, RSA Authentication OAuth2 Client Secret
      6. FIDO Relying Party ID
      7. Enable RSA authentication
      8. Configure Passwordless Authentication
      9. Specify logging options
      10. RSA Primary Authentication Challenge Group, RSA Primary Authentication Challenge Settings

For more information about each key-value pair, see Configure Passwordless Authentication for Microsoft Entra ID Joined Machines in the Installation and Administration Guide.

1. 3. Complete the steps below to enable passwordless authentication for CAS users:
      • Update the access policy to include passwordless authentication methods as primary authentication methods.
        1. In the Cloud Administration Console, go to Access > Policies, and in the Primary Authentication tab, add one or more of the following methods:
           • FIDO Passkey
           • QR Code (RSA Agent)
           • Device Biometrics (RSA Agent)
           • Mobile Passkey (RSA Agent)
           • Emergency Access Code
        2. Click Save and Finish, and then publish your changes.
           
      • Download the Agent Passwordless Public Key from CAS:
        1. In the Cloud Administration Console, go to My Account > Company Settings.
        2. Select Company Information.
        3. Under Agent Passwordless Public Key, click Download.
           
      • Obtain the FIDO Relying Party ID from CAS:
        1. In the Cloud Administration Console, go to Platform > Identity Router.
        2. Select an identity router and click Edit.
        3. Click Registration.
        4. Copy the FIDO Relying Party ID from the Authentication Service Domain field.
        5. If not configured, the FIDO Relying Party ID is extracted automatically from the RSA Authentication API REST URL.

If you want users to avoid additional authentication after a successful FIDO Passkey primary authentication, ensure that FIDO Passkey is configured as the higher assurance level authentication method in the access policy compared to other methods.

3. Generate PowerShell script:
   1. Use the configured text file to create a PowerShell script with the following command: $ RSA_MFA_Agent_Config_Utility_For_Microsoft_Entra_ID.exe -i <text file name e.g. RSA_MFA_Agent_Config.txt> -o <script file name e.g. RSA_MFA_Agent_Config.ps1>
      This command generates a PowerShell script file with name given in the command which will configure the Windows machine for RSA MFA Agent.
4. Upload the script to MDM and deploy it:
   1. Log in to an MDM portal.
   2. Upload the generated PowerShell script.
   3. Select the appropriate device group under Included groups during the upload process.
      The MDM will deploy and execute the PowerShell script on all devices in the selected groups to configure them for the Agent.
5. Install Root CA Certificate:
   1. Install the RSA Root CA Certificate. Follow the instructions detailed in Configure Passwordless Authentication for Microsoft Entra ID Joined Machines in the Installation and Administration Guide.
6. Install Agent:
   After completing the above configuration steps, install the RSA MFA Agent on Microsoft Windows 10 or later.
   Note the following:
   
   1. To install the RSA MFA Agent for a group of Entra ID users, use any MDM to push the Agent. See Install the Agent for Entra ID Users Using Intune in the Installation and Administration Guide for steps you can follow to install and configure the Agent using Microsoft Intune. The instructions provided are only applicable for fresh Agent installations on devices not previously enrolled.
   2. To upgrade the Agent on Entra ID machines using password only or password + step-up authentication (version 2.3.3 or later), follow the instructions below in the same order:
      1. Install the RSA Root CA Certificate. Follow the instructions detailed in Configure Passwordless Authentication for Microsoft Entra ID Joined Machines in the Installation and Administration Guide.
      2. Upgrade the Agent to the latest version.
      3. Implement passwordless configuration. Use the RSA configuration utility to generate a PowerShell script that enables passwordless authentication as detailed in Steps 2, 3, 4, and 5.
7. Test Authentication:
   1. Launch the RSA MFA Agent Authentication Utility from Windows search bar, and perform a test authentication as detailed in Test Authentication.
8. Passwordless Onboarding or Offboarding
   Using the RSA MFA Agent Authentication Utility, users can do the following:
   1. Users can onboard supported passwordless authentication methods to their accounts in order to sign in using these authentication methods as detailed in Passwordless Onboarding.
   2. Users can also offboard an onboarded passwordless authentication method as detailed in Passwordless Offboarding.
9. Log In:
   1. Log in to the agent machine using a Microsoft Entra ID account.

Microsoft Entra ID Hybrid Joined Devices

The procedure to set up Microsoft Entra ID hybrid-joined devices remains the same as for on-premises Active Directory joined machines. For quick setup instructions, refer to the instructions provided in this section below. For more information about Microsoft Entra hybrid-joined devices, see Microsoft Entra hybrid-joined Devices.

To configure Microsoft Entra ID hybrid-joined devices, do as follows:

1. Set Up Cloud Access Service
2. Install RSA Group Policy Object (GPO) templates
3. Install RSA MFA Agent
4. Configure the agent to connect to RSA Authentication
5. Test Authentication

Note: After upgrading to RSA MFA Agent 2.4 or later, the agent continues to authenticate Microsoft Entra ID hybrid-joined devices as before. You do not need to make any changes to your existing GPO settings. Passwordless authentication using the RSA CA certificate is currently supported only on Entra ID joined devices and not on hybrid-joined devices.

Set Up Cloud Access Service

To connect the agent to RSA Authentication, you need to copy the configuration details from the Cloud Administration Console, as explained below, and use them later during configuration.

1. Access Cloud Administration Console.
2. Create an access policy specifically for the RSA MFA Agent. For more information, see Add, Clone, or Delete an Access Policy > Add an Access Policy on RSA Community.
3. To copy the REST Authentication URL and API key for CAS, do the following:
   1. Go to Platform > API Access Management > Authentication API Keys.
   2. Click Copy URL to copy the REST Authentication URL. The REST Authentication URL format is https://<hostname>:<port>/. The default port is 443.
   3. Copy the API key available under Authentication API Keys. The Agent sends this key to the RSA Authentication API to securely identify authentication requests. For more information, see Manage the RSA Authentication API Keys > Add an RSA Authentication API Key on RSA Community.

User Requirements

To use passwordless authentication methods, users must register on RSA My Page and enroll one of the following authenticators:

• RSA Authenticator app (iOS or Android), which supports Device Biometrics, QR code, and Mobile Passkey.
• A FIDO2-certified security key, such as the RSA DS100 or RSA IShield 2.

Install RSA Group Policy Object (GPO) Templates

Download the latest RSA Group Policy Object (GPO) templates from RSA Community, install them on a Windows computer or domain controller, and then configure them.

Install the GPO templates on a Windows computer:

• Installing RSA MFA Agent on the computer used to manage the GPO templates will automatically copy the template files to C:\Windows\PolicyDefinitions during installation.

Install the GPO templates on a domain controller:

To install the template on a domain controller, do one of the following:

1. Copy the GPO templates to an appropriate local directory:
   1. For local directory installation, copy the contents of the RSA_MFA_Agent_<version>_ PolicyTemplates.zip package, excluding the Migration Tool folder, to C:\Windows\PolicyDefinitions on the domain controller.
   2. Ensure that you preserve the existing subfolder structure.
2. Copy the templates to a shared network location:
   1. Copy the contents of the RSA_MFA_Agent_<version>_PolicyTemplates.zip package, excluding the Migration Tool folder, to the following shared network location: \\domain_ name\SYSVOL\domain_name\Policies\PolicyDefinitions.
   2. Replace domain_name with the name of your domain.
   3. Ensure that the existing subfolder structure is preserved.
   4. If the PolicyDefinitions folder does not exist, create a new folder.

Note: The policies in the RSA GPO template are not configured. You need to configure the settings and apply them to a domain policy.

Install the RSA MFA Agent

1. Download the latest version from RSA Community.
2. Unzip and install the agent.

You can install the MFA Agent using an install wizard or command line.

Configure the Agent to Connect to RSA Authentication

After installing the agent, you must configure the agent to connect to RSA Authentication using the GPO templates.

To connect the Agent to RSA Authentication:

1. Access the RSA Group Policy Object (GPO) templates.
2. Configure the following GPO settings with the details copied from Cloud Administration Console:
   • Enable RSA Authentication.
   • Specify the RSA Authentication API key.
   • Specify the RSA Authentication API REST URL.
   • Add the access policy in the Cloud Access Service Access Policy GPO.
3. Create a user group to challenge with RSA credentials:
   • Apply the challenge settings using the RSA Challenge Group GPO and determine how the agent handles users whose group membership cannot be determined with the Cache Challenge Settings GPO.
   • To avoid challenging users, either disable or do not configure the Enable RSA authentication GPO.
   • To challenge all users, enable the Enable RSA Authentication GPO and disable or do not configure the RSA Challenge Group GPO.

For more information, see the latest RSA MFA Agent for Microsoft Windows Group Policy Object Template Guide.

RSA MFA Agent Authentication Utility

The RSA MFA Agent Authentication Utility is a utility that enables users to test and manage authentication methods on machines where the RSA MFA Agent is installed.

Note: The previous RSA MFA Agent Test Authentication Tool (v2.3.6 and earlier) has been replaced by the new RSA MFA Agent Authentication Utility, which is automatically installed when you install the MFA Agent 2.4 or later.

The Authentication Utility enables the user to perform the following:

• Test Authentication
• Passwordless Onboarding

Important: The above features are available only when passwordless authentication is configured and enabled via an access policy. Otherwise, only the Test Authentication tab will appear.

Note: The Authentication Utility does not dynamically refresh the UI for changes that occur outside the application (such as onboarding via logon or backend policy updates). To view the latest onboarded methods or configuration changes, restart the Utility.

Test Authentication

Before you enable the MFA Agent in your organization, test authentication on a computer with the Authentication Utility.

You can ask your users to test authentication with the Authentication Utility. You can provide the instructions included in this section to your users.

You can test authentication on a computer with one of the following methods:

• Passwordless Authentication
• Additional Authentication

Passwordless Authentication

You can use the Authentication Utility to test online and offline authentication with passwordless authentication.

Before you begin

Configure the required settings to allow passwordless authentication and ensure the necessary requirements are met. See Configure Passwordless Authentication in the Installation and Administration Guide.

Procedure

1. Sign in to a computer where the MFA Agent is installed.
2. Click Start > RSA > RSA MFA Agent Authentication Utility. 
   The Test Authentication tab is opened by default.
3. Enter the name of the user for whom you are testing authentication.
   Enter the simple name (for example, myuser) or an email address (for example, myuser@mydomain.com).
   Note: This name is displayed for users. Users cannot enter or edit the name.
4. If you entered a simple user name, specify the domain, for example, mydomain.

Note: Local user accounts cannot be enabled with passwordless authentication.

5. Click Test Online Authentication.
6. Perform an authentication with a supported authentication method.
   The MFA Agent verifies the credentials with CAS and prompts for additional authentication if required.
   If the user is successfully enabled with passwordless authentication, a success message displays for verification.
7. Wait 60 seconds after completing a successful online authentication, then click Test Offline Authentication, and use the method that is supported for the user. If the user successfully completes offline passwordless authentication, a success message displays for verification.

Additional Authentication

You can use the Authentication Utility to test online and offline authentication with additional authentication.

Procedure

1. Perform steps 1 to 3 of the Test Passwordless Authentication procedure.
2. If you entered a simple user name, specify the domain, for example, mydomain.
   To test a local user account, enter the computer name in the Domain field, or enter .\username in the Username field.
3. Click Test Online Authentication, and authenticate with an available authentication method.
4. Wait 60 seconds after completing a successful online authentication, then click Test Offline Authentication, and use the method that is supported for the user:
   1. For the Cloud Authentication Service, enter the Authenticate OTP displayed on the user's Authenticator, or click on More ways to sign in (if displayed) and select Emergency Access Code, and enter the emergency access code generated in the Cloud Administration Console for the user.
   2. For Authentication Manager, enter the OTP from the user's hardware or software OTP credential, or enter the emergency access code or fixed OTP generated in the Security Console for the user.

Passwordless Onboarding

The Passwordless Onboarding functionality enables users to onboard supported passwordless authentication methods so they can sign in using those methods.

First-Time Launch (No Onboarded Methods)

If the user has no onboarded methods, the following procedure applies:

Procedure

1. Click Passwordless Authentication Onboarding.
   The user is prompted to authenticate using the default method configured in the CAS access policy. Other supported passwordless authentication methods (also as configured in the access policy) are displayed under the More ways to sign in menu.
2. Perform the authentication. A success message appears.
   1. If QR Code, Mobile Passkey, or Device Biometrics was used to authenticate, all other non-FIDO supported methods are automatically onboarded.
   2. If a FIDO Passkey was used, all supported methods, including FIDO Passkeys, are onboarded.

Note: The Emergency Access Code (EAC) authentication method appears only when configured by an administrator as needed, even while it is included in the access policy.

Onboarding More Methods

A + button is displayed for users who have at least one method yet to be onboarded. If all four methods (QR Code, FIDO Passkey, Mobile Passkey, Device Biometrics) are already onboarded, the + button does not appear.

Emergency Access Methods

Emergency access allows users to sign in when they cannot use their registered passwordless authentication methods. Use the following options based on whether the user has completed passwordless onboarding.

Emergency Access Before Passwordless Onboarding

If the user has not yet onboarded any passwordless authentication methods:

• Disable the Exclude the Microsoft Password Credential Provider GPO setting. This ensures the Microsoft Password Credential Provider is shown at sign-in, allowing users to authenticate with their Windows password.

Note: After passwordless onboarding is completed, set Exclude the Microsoft Password Credential Provider to Not Configured or Enabled.

Emergency Access After Passwordless Onboarding

Online Authentication

Prerequisites

• Emergency Access Code must be enabled in CAS access policy.
• Cloud Authentication Service Public Key for Passwordless Authentication GPO must be configured correctly. Otherwise, disable Exclude the Microsoft Password Credential Provider to allow Windows password sign-in.

Procedure

1. In the Cloud Administration Console, go to Users > Management.
2. Search for the user and generate an Emergency Access Code.
3. Share the code with the user.

The user selects Emergency Access Code from More ways to sign in and enters the code to authenticate.

Offline Authentication

Prerequisites

• Offline Emergency Access Code must be enabled in My Account > Company Settings > Sessions & Authentication.
• Cloud Authentication Service Public Key for Passwordless Authentication GPO must be configured correctly. Otherwise, disable Exclude the Microsoft Password Credential Provider to allow Windows password sign-in.

Procedure

1. In the Cloud Administration Console, go to Users > Management.
2. Search for the user and generate an Emergency Access Code with an expiry time.
3. Share the code with the user.

The user selects Emergency Access Code from More ways to sign in and enters the code to sign in offline.

For more information about Emergency Access Codes, see Authentication Methods for Cloud Access Service Users in the Installation and Administration Guide.

Passwordless Authentication Flows

This section describes the flows of passwordless authentication for your first and subsequent authentications.

First Authentication

When you sign in or unlock your computer for the first time, the MFA Agent binds the passwordless authentication methods with your computer. The MFA Agent creates a Microsoft Virtual Smart Card and provisions it with a sign-in certificate for you.

Before you begin, ensure that your computer is connected to the network and all the prerequisites are met.

Procedure

1. Enter your Entra ID username in the RSA passwordless credential provider.
2. Perform multi-factor authentication using one of the supported passwordless methods.
3. The MFA Agent verifies the authentication request with CAS and may prompt you for additional authentication methods if required.
4. After successful verification, the MFA Agent binds the passwordless authentication methods to your computer.
5. The MFA Agent creates a Microsoft Virtual Smart Card and provisions it with a sign-in certificate from the RSA CA.
6. After the sign-in certificate is provisioned, you gain access to the computer.

Note: If your Entra ID password has expired, you are prompted to change it. The old password appears in the Change Password window.

Subsequent Authentications

After the first authentication, the passwordless method is already bound to your computer and the virtual smart card exists. You do not need to enter your password for subsequent authentications. Your computer may or may not need to be connected to the network after the second authentication.

Procedure

1. Perform the same initial steps as in First Authentication to enter your Entra ID username and complete passwordless authentication.
2. The MFA Agent verifies your credentials and may prompt for additional authentication methods, if required.
3. During subsequent authentication, the MFA Agent verifies the authentication data, unlocks the local virtual smart card, and obtains the sign-in certificate.
4. The MFA Agent sends the certificate to Microsoft Windows, which validates it and grants access to your computer.

For more information, refer to the latest Installation and Administration Guide in RSA MFA Agent for Microsoft Windows Documentation.