Forum Discussion
Fido passkeys blocked by policy
Hi all
I'm helping out a customer with deploying physical passkeys and I'm running into a weird error.
I've activated the sign in method and selected the two AAGuids for the Authenticator app and I've added the right AAGuid for the brand and model of passkey we are using.
We can select the authentication method and enroll the security correctly but when trying to sign in using it we get the error as displayed in the attached picture.
When checking the sign in logs i get this error message
| FIDO sign-in is disabled via policy |
6 Replies
Turn off passkeys, wait at least 5 minutes, turn it back on, then wait at least another 5 minutes and try again ;)
If the passkeys are registering, then the Authentication methods configuration is correct, but the distributed policy to the authentication services is not. We have to flip it off and back on to force an update of those policies.
All of this customer's CAP's are in report only mode and security defaults have been disabled
Hi Peter, Try following
Navigate to Entra Admin Center → Protection → Authentication methods → FIDO2 Security Key
Check following:It is fully enabled, not just targeted.
“Allow self-service set up” is enabled.
The AAGUID for your passkey is correct and not truncated or malformed (some keys use uppercase or extra characters — copy directly from a known working session).Test:
A clean sign-in on a fully Entra ID joined device (not hybrid) and also in an InPrivate Window with no extensions.
Even with all CAPs disabled, the Authentication Methods policy alone is enough to block FIDO2 sign-in.
Everything checks out. However there is no CAP requiring vPasskeys. Also all the user per user MFA settings are disabled
Thanks very much for this. I will take a look. I'm fairly sure all of this is set up cut I will definitely revisit everything..
You're encountering error code 135016 — "FIDO sign-in is disabled via policy" — even though you've enabled passkey sign-in and specified the correct AAGUIDs. This error is a known issue often because one or more policies or settings are not fully aligned across Azure AD (Microsoft Entra ID), Conditional Access, or Authentication Methods policy — even if FIDO2 appears enabled on the surface.
Go to Microsoft Entra Admin Center → Protection → Authentication methods → FIDO2 Security Key
Ensure FIDO2 is enabled (not just "targeted"). Check that the user/group is assigned in the targeting section. Verify that “Allow self-service set up” is ON. Ensure the AAGUID of your passkey is correctly entered and not misspelled.Also, try temporarily removing CA restrictions or setting a policy allowing FIDO2 as the primary sign-in method.
Last, if you use Auth strengths within any CAP, go to Entra Admin Center → Protection → Authentication Strengths and confirm that your FIDO2 configuration is included in the expected strength set.I know some Hybrid join devices also throw this error; you might want to test it on the Entra-joined device first. In any case, always check Sign-in Logs > Authentication Details > Sign-in method
