Robot admin guide

Multifactor authentication (MFA) requires the use of two verification factors to authenticate users, such as something you know (e.g. password), something you have (e.g. a mobile device) or something you are (e.g. fingerprint or face scan). MFA thus significantly reduces the chances of unauthorized access in case user credentials are compromised. However, it also introduces additional complexity when used for unattended automation.

Since passwords count as a single factor, they aren't enough to authenticate MFA users, so Robots won't be able to create user sessions using password credentials. However, it is possible to use smart card credentials to authenticate these users.

First, you must create virtual smart cards on all the VMs where the Robot will be deployed to, for each Entra ID user that will be used to run automations. Virtual smart cards are recommended for this since they allow for easier deployment to multiple machines. A virtual smart card acts just like a physical smart card, except it uses the device's Trusted Platform Module (TPM) chip to store the cryptographic keys instead of a physical container [3].

Once the smart cards are created, you must configure Entra certificate-based authentication [4] to allow Entra IDs to authenticate using certificates. More specifically, these certificates must be configured as multi-factor [5] to satisfy the requirement for MFA.