Forum Discussion

pthoptho's avatar
pthoptho
Copper Contributor
Sep 16, 2025

MFA Initial Setup Now Now Longer Offers Security Keys

Hi Microsoft Community,

 

We're trialling FIDO2 keys for our organisation as a priamry means of MFA.

 

We bought a handful of keys to test with a month or so ago, and at the time using a Security Key was an option on first account setup, i.e. after you have provided your microsoft ID and password you are then taken to the Initial Setup wizard.

 

However on testing it now seems like the only options present to the user on initial setup are Authenticator, Hardware Token, and Phone Number.

 

Why/has Microsoft changed approach here, and is there an option to permit use of a Security Key on this pane, as I can not find a setting for this within the Admin Console.

 

It is worth noting that we can use Authenticator on this screen to complete the process, then go to Microsoft Account Security page, add a secondary means of MFA (Security Key), and then delete the original Authenticator method, leaving us with just the Security Key. Of course, this is not practical given we intended to be totally hands-off with our deployment.

 

Many Thanks

Account Management
Login

1 Reply

  • Surya_Narayana's avatar
    Surya_Narayana
    MCT
    Sep 17, 2025

    hi pthoptho​ Here are steps you can take to try to restore the behavior or work around the change:

    Verify Authentication Methods Policy

      • In Azure / Entra portal, go to Security → Authentication methods → Policies.
      • Open the FIDO2 / Security key policy. Make sure it is Enabled, that users / groups are included, and that Self-service setup is allowed.

    Check for Key Restrictions / AAGUID Blocklist

      • If your security keys are not from Microsoft‐verified vendors or the AAGUID isn’t in the allowed list, they might be blocked by policy.

    Use Temporary Access Pass (TAP)

      • You might use TAP for initial onboarding / registration when no other MFA is present, then enable the Security Key via the “Security Info” page. This could get around the barrier where initial setup doesn’t show the key.

    Raise a Support Case / Feedback

      • It looks like behavior changed recently (based on community posts). If your tenant had earlier behavior of showing Security Key at initial setup, this might be a regression or change in policy enforcement. Microsoft support or feedback might clarify.

    Monitor Documentation / Release Notes

      • Microsoft often updates the available methods / initial registration behavior via their Entra / Azure updates. Keep an eye on “Identity / Authentication methods / FIDO2 / Passkeys” release notes.

Resources