Troubleshooting: Control 1.23 - Step-Up Authentication for AI Agent Operations
Last Updated: January 2026
Common Issues
| Issue | Cause | Resolution |
|---|---|---|
| Step-up not triggering | Context not assigned to action | Map action to auth context |
| User can't complete step-up | No phishing-resistant method | Enroll FIDO2 or Windows Hello |
| Excessive step-up prompts | Session frequency too short | Adjust based on risk |
| Service principal bypass | SP not subject to step-up | Implement compensating control |
Detailed Troubleshooting
Issue: Step-Up Not Triggering
Symptoms: Sensitive action proceeds without re-authentication
Resolution:
- Verify action is mapped to authentication context
- Check CA policy targets the context
- Verify CA policy is enabled (not report-only)
- Check for policy conflicts or exceptions
Issue: User Cannot Complete Step-Up
Symptoms: User denied even with MFA
Resolution:
- Verify user has enrolled phishing-resistant method
- Check authentication strength requirements
- Verify user's device meets CA requirements
- Help user register FIDO2 key or Windows Hello
Escalation Path
- Entra Security Admin - CA policy configuration
- Entra Admin - Authentication methods
- Help Desk - User enrollment assistance
- Microsoft Support - Platform issues
Known Limitations
| Limitation | Impact | Workaround |
|---|---|---|
| Service principals exempt | SPs don't authenticate interactively | Use approval workflow |
| Not all apps support contexts | Limited integration | Use app-level controls |
| User experience friction | More prompts | Balance security with usability |
| FIDO2 hardware dependency | Requires physical key | Also allow Windows Hello |
Back to Control 1.23 | Portal Walkthrough | PowerShell Setup | Verification Testing