For enterprises that use passwords today, passkeys (FIDO2) provide a seamless way for workers to authenticate without entering a username or password. Passkeys (FIDO2) provide improved productivity for workers, and have better security.
This article lists requirements and steps to enable passkeys in your organization. After completing these steps, users in your organization can then register and sign in to their Microsoft Entra account using a passkey stored on a FIDO2 security key or in Microsoft Authenticator.
Microsoft Entra ID currently supports device-bound passkeys stored on FIDO2 security keys and in Microsoft Authenticator. Microsoft is committed to securing customers and users with passkeys. We are investing in both synced and device-bound passkeys for work accounts.
Devices that support passkey (FIDO2) authentication. For Windows devices that are joined to Microsoft Entra ID, the best experience is on Windows 10 version 1903 or higher. Hybrid-joined devices must run Windows 10 version 2004 or higher.
The FIDO2 specification requires each security key vendor to provide an Authenticator Attestation GUID (AAGUID) during registration. An AAGUID is a 128-bit identifier indicating the key type, such as the make and model. Passkey (FIDO2) providers on desktop and mobile devices are also expected to provide an AAGUID during registration.
Poznámka
The vendor must ensure that the AAGUID is identical across all substantially identical security keys or passkey (FIDO2) providers made by that vendor, and different (with high probability) from the AAGUIDs of all other types of security keys or passkey (FIDO2) providers. To ensure this, the AAGUID for a given security key model or passkey (FIDO2) provider should be randomly generated. For more information, see Web Authentication: An API for accessing Public Key Credentials - Level 2 (w3.org).
You can work with your security key vendor to determine the AAGUID of the passkey (FIDO2), or see FIDO2 security keys eligible for attestation with Microsoft Entra ID. If the passkey (FIDO2) is already registered, you can find the AAGUID by viewing the authentication method details of the passkey (FIDO2) for the user.
Browse to Protection > Authentication methods > Policies.
Under the method Passkey (FIDO2), set the toggle to Enable. Select All users or Add groups to select specific groups. Only security groups are supported.
On the Configure tab:
Set Allow self-service set up to Yes. If set to No, users can't register a passkey by using Security info, even if passkeys (FIDO2) are enabled by the Authentication methods policy.
Set Enforce attestation to Yes if your organization wants to be assured that a FIDO2 security key model or passkey provider is genuine and comes from the legitimate vendor.
For FIDO2 security keys, we require security key metadata to be published and verified with the FIDO Alliance Metadata Service, and also pass Microsoft's another set of validation testing. For more information, see Become a Microsoft-compatible FIDO2 security key vendor.
Attestation enforcement governs whether a passkey (FIDO2) is allowed only during registration. Users who register a passkey (FIDO2) without attestation aren't blocked from sign-in if Enforce attestation is set to Yes later.
Key Restriction Policy
Enforce key restrictions should be set to Yes only if your organization wants to only allow or disallow certain security key models or passkey providers, which are identified by their AAGUID. You can work with your security key vendor to determine the AAGUID of the passkey. If the passkey is already registered, you can find the AAGUID by viewing the authentication method details of the passkey for the user.
When Enforce key restrictions is set to Yes, you can select Microsoft Authenticator to automatically add the Authenticator app AAGUIDs for you in the key restrictions list. For more information, see Enable passkeys in Microsoft Authenticator.
Upozornenie
Key restrictions set the usability of specific models or providers for both registration and authentication. If you change key restrictions and remove an AAGUID that you previously allowed, users who previously registered an allowed method can no longer use it for sign-in.
If your organization doesn't currently enforce key restrictions and already has active passkey usage, you should collect the AAGUIDs of the keys being used today. Add them to the allowlist, along with the Authenticator AAGUIDs, to enable passkeys (FIDO2). This task can be done with an automated script that analyzes logs, such as registration details and sign-in logs.
Poznámka
If you turn off key restrictions, make sure you clear the Microsoft Authenticator checkbox so that users aren’t prompted to set up a passkey in the Authenticator app in Security info.
After you finish the configuration, select Save.
Poznámka
If you see an error when you try to save, replace multiple groups with a single group in one operation, and then click Save again.
Provision FIDO2 security keys using Microsoft Graph API (preview)
The ability to request WebAuthn creation Options from Microsoft Entra ID
The ability to register the provisioned security key directly with Microsoft Entra ID
With these new APIs, organizations can build their own clients to provision passkey (FIDO2) credentials on security keys on behalf of a user. To simplify this process, three main steps are required.
Request creationOptions for a user: Microsoft Entra ID returns the necessary data for your client to provision a passkey (FIDO2) credential. This includes information such as user information, relying party ID, credential policy requirements, algorithms, registration challenge and more.
Provision the passkey (FIDO2) credential with the creation Options: Use the creationOptions and a client that supports the Client to Authenticator Protocol (CTAP) to provision the credential. During this step, you will need to insert the security key and set a PIN.
Register the provisioned credential with Microsoft Entra ID: Use the formatted output from the provisioning process to provide Microsoft Entra ID the necessary data to register the passkey (FIDO2) credential for the targeted user.
Enable passkeys (FIDO2) using Microsoft Graph API
In addition to using the Microsoft Entra admin center, you can also enable passkeys (FIDO2) by using the Microsoft Graph API. To enable passkeys (FIDO2), you need to update the Authentication methods policy as at least an Authentication Policy Administrator.
To configure the policy using Graph Explorer:
Sign in to Graph Explorer and consent to the Policy.Read.All and Policy.ReadWrite.AuthenticationMethod permissions.
Retrieve the Authentication methods policy:
JSON
GET https://graph.microsoft.com/v1.0/authenticationMethodsPolicy/authenticationMethodConfigurations/FIDO2
To disable attestation enforcement and enforce key restrictions to only allow the AAGUID for RSA DS100 for example, perform a PATCH operation using the following request body:
JSON
PATCH https://graph.microsoft.com/v1.0/authenticationMethodsPolicy/authenticationMethodConfigurations/FIDO2
Request Body:
{
"@odata.type": "#microsoft.graph.fido2AuthenticationMethodConfiguration",
"isAttestationEnforced": false,
"keyRestrictions": {
"isEnforced": true,
"enforcementType": "allow",
"aaGuids": [
"7e3f3d30-3557-4442-bdae-139312178b39",
<insert previous AAGUIDs here to keep them stored in policy>
]
}
}
Make sure that the passkey (FIDO2) policy is updated properly.
JSON
GET https://graph.microsoft.com/v1.0/authenticationMethodsPolicy/authenticationMethodConfigurations/FIDO2
Delete a passkey (FIDO2)
To remove a passkey (FIDO2) associated with a user account, delete it from the user's authentication method.
Select Authentication methods > right-click Passkey (device-bound) and select Delete.
Enforce passkey (FIDO2) sign-in
To make users sign in with a passkey (FIDO2) when they access a sensitive resource, you can:
Use a built-in phishing-resistant authentication strength
Or
Create a custom authentication strength
The following steps show how to create a custom authentication strength Conditional Access policy that allows passkey (FIDO2) sign-in for only a specific security key model or passkey (FIDO2) provider. For a list of FIDO2 providers, see FIDO2 security keys eligible for attestation with Microsoft Entra ID.
Registration of passkey (FIDO2) credentials isn't supported for B2B collaboration users in the resource tenant.
UPN changes
If a user's UPN changes, you can no longer modify passkeys (FIDO2) to account for the change. If the user has a passkey (FIDO2), they need to sign in to Security info, delete the old passkey (FIDO2), and add a new one.
There are multiple options for authentication in Azure AD. Learn how to implement and manage the right authentications for users based on business needs.