Forum Discussion

Iron Contributor

May 21, 2025

Fido passkeys blocked by policy

Hi all I'm helping out a customer with deploying physical passkeys and I'm running into a weird error. I've activated the sign in method and selected the two AAGuids for the Authenticator app an...

Authentication

Azure Active Directory (AAD)

Iron Contributor

May 30, 2025

All of this customer's CAP's are in report only mode and security defaults have been disabled

Ankit365
Brass Contributor
May 30, 2025
Hi Peter, Try following
Navigate to Entra Admin Center → Protection → Authentication methods → FIDO2 Security Key
Check following:
It is fully enabled, not just targeted.
“Allow self-service set up” is enabled.
The AAGUID for your passkey is correct and not truncated or malformed (some keys use uppercase or extra characters — copy directly from a known working session).

Test:
A clean sign-in on a fully Entra ID joined device (not hybrid) and also in an InPrivate Window with no extensions.

Even with all CAPs disabled, the Authentication Methods policy alone is enough to block FIDO2 sign-in.
- PeterJ_Inobits
  Iron Contributor
  May 31, 2025
  Everything checks out. However there is no CAP requiring vPasskeys. Also all the user per user MFA settings are disabled