script type="text/javascript"> jQuery(document).ready(function(){ jQuery("article.et_pb_post").each(function(){ jQuery(">a:first-child, .et_pb_image_container", this).insertAfter(jQuery(".post-meta", this)); }); });
Select Page

How to setup Passkeys in EntraID with Microsoft Authenticator (preview!)

by | Apr 17, 2024 | Blog, Microsoft, Security

passkeys part of FIDO2

Passkeys are now available as preview in Microsoft EntraID. In this blog post I will guide you through the setup, also if you are already using FIDO2 keys!

Setup the Authentication Method

First of all we have to setup the authentication method in EntraID so your users will be able to setup the Passkeys. Follow the instructions below to set this up:

  1. Signin as at least a Authentication Policy Administrator (or Global Admin) to your tenant at https://portal.azure.com 
  2. Go to the EntraID module and next to “Security
  3. Select Authentication Methods and select the FIDO2 security key method to edit it
  4. Add users or All Users that are allowed to use the Passkey and FIDO2 option (only in case you haven’t done this yet)
  5. Make sure to configure it with the following settings:
    Allow self service setup Yes
    Enforce attestation No
    Enforce key restrictions YES
    Restrict Specific Keys YES

    As we now have setup the settings for FIDO2 enforcement, we have to configure the correct AAGUID’s to make sure EntraID will allow passkeys for the Microsoft Authenticator App on iOS and Android.

Add the following AAGUIDs:

Microsoft Authenticator iOS 
90a3ccdf-635c-4729-a248-9b709135078f
Microsoft Authenticator Android 
de1e552d-db1d-4423-a619-566b625cdc84

Are you already using FIDO2 keys without the AAGUID’s, then also add the AAGUID’s for these keys! You can find them on the website from the manufacturer or you can extract the AAGUID’s that are currently in use in your Azure environment.

Extract the AAGUIDs from EntraID

There is a really cool powershell module created that you can use to extract the AAGUIDs. Please refer to this Github page: https://github.com/f-bader/EntraIDPasskeyHelper

  1. Install the Microsoft Graph Powershell module (you will use it to connect to the Graph API 
    Install-Module Microsoft.Graph -Scope CurrentUser
  2. Install the EntraPasskeyHelper module 
    Install-Module EntraIDPasskeyHelper -Scope CurrentUser
  3. Now refer to tyhe Github page (link above) to extract the AAGUID’s 
    # Connect to Microsoft Graph
Connect-MgGraph -Scopes "AuditLog.Read.All", "User.Read.All", "UserAuthenticationMethod.Read.All" -DeviceCode -NoWelcome
# Gather information about all currently registered FIDO2 security keys
Get-PasskeyDeviceBoundAAGUID

     

  4. Now add all the AAGUID’s to the policy, by adding them one-by-one.

Setup the Passkey (iOS)

Now we can setup the Passkey in our iOS device for the user.

  1. Open the Microsoft Authenticator on your iOS device
  2. In the top-right corner click the “+” sign and add a Work- or schoolaccount
  3. Use the Sign-In option, even if your account already exists! So DO NOT USE THE QR CODE to scan the passkey QR right now
  4. Sign-in with your account and approve the requests (MFA). This will add the passkey option to you account that is already on your device
  5. If you now click on your account in the Authenticator you should see the “Passkey (preview)” option and you are ready to go!