Forum Discussion
Microsoft Entra ID (Azure AD) support for Passkeys
- This is the best article I have seen so far regarding background and setup requirements for Microsoft Authenticator Passkeys in Entra ID
https://janbakker.tech/get-started-with-passkeys-in-microsoft-365/
March has come and gone, still no passkeys. We contacted MS support about this and they said that the feature would appear in the "Preview features" area of Entra ID:
But I am skeptical that it will appear here.
We have followed the instructions to configure the following in our test tenant, the AAGUID's are not easy to find. We believe reading this that the only way to opt in is to do the part in red?
"
In the Entra admin portal, we will be renaming “FIDO2 security keys” to “Passkeys (FIDO2)” within the authentication methods policy and Conditional Access authentication strengths policy.
For your organization to opt-in to this preview, you will need to enforce key restrictions to allow specified passkey providers in your FIDO2 policy. Here are the possible configuration states for FIDO2 key restrictions during the preview:
- No key restrictions (FIDO2 policy default): Tenant allows all security key models. Device-bound passkey providers on computers and mobile devices are not allowed.
- Key restrictions set to "Allow": Tenant only allows the explicitly added AAGUIDs. To enable a device-bound passkey provider, add their AAGUID(s) to the key restrictions list.
- Key restrictions set to "Block": Tenant blocks the explicitly added AAGUIDs and allows all other security key models. Device-bound passkey providers on computers and mobile devices are not allowed."
Still not working, same error when naming the passkey that you guys are seeing.
I do not understand how Microsoft can have this is an error state for so long and now that "Passkey (Preview)" is now also showing for us when configuring Authentication methods it makes it even worse.
Microsoft, if it is not ready for production don't show us enticing setup wizards that are made to fail until release, its been months!
Drogon1635 last update I saw on Twitter was that an announcement on this was coming in the next 1-2 weeks so 🤞. I would recommend subscribing to https://entra.news/ as this is a great weekly source of information regarding changes to Microsoft Entra
mcoombe@Drogon1635 I can setup the Passkey in Microsoft Authenticator (Preview) today!!!
https://learn.microsoft.com/en-us/entra/identity/authentication/how-to-enable-authenticator-passkey
For the iCloud Keychain passkey, my Entra ID is not yet supported. I attempted to add a passkey in the Microsoft Authenticator and a Security Key, but both attempts failed. Fortunately, I can still use the passkey in Microsoft Authenticator.
Kyle_Lam This is promising. I'm still not able to see the "Passkey (FIDO2)" under my Azure "Authentication methods | Policies", mine still says "FIDO2 security key". I believe Microsoft only intends to support Passkeys in their native app Microsoft Authenticator at least for the short term.
- Cancel this, it is working. Wording still shows "FIDO2 security key", but after I added the two AAGUIDs the option appeared.
