MFA Initial Setup Now Now Longer Offers Security Keys

hi pthoptho​ Here are steps you can take to try to restore the behavior or work around the change:

Verify Authentication Methods Policy

• In Azure / Entra portal, go to Security → Authentication methods → Policies.
• Open the FIDO2 / Security key policy. Make sure it is Enabled, that users / groups are included, and that Self-service setup is allowed.

Check for Key Restrictions / AAGUID Blocklist

• If your security keys are not from Microsoft‐verified vendors or the AAGUID isn’t in the allowed list, they might be blocked by policy.

Use Temporary Access Pass (TAP)

• You might use TAP for initial onboarding / registration when no other MFA is present, then enable the Security Key via the “Security Info” page. This could get around the barrier where initial setup doesn’t show the key.

Raise a Support Case / Feedback

• It looks like behavior changed recently (based on community posts). If your tenant had earlier behavior of showing Security Key at initial setup, this might be a regression or change in policy enforcement. Microsoft support or feedback might clarify.

Monitor Documentation / Release Notes

• Microsoft often updates the available methods / initial registration behavior via their Entra / Azure updates. Keep an eye on “Identity / Authentication methods / FIDO2 / Passkeys” release notes.