Forum Discussion
Fido passkeys blocked by policy
Hi all I'm helping out a customer with deploying physical passkeys and I'm running into a weird error. I've activated the sign in method and selected the two AAGuids for the Authenticator app an...
Hi Peter, Try following
Navigate to Entra Admin Center → Protection → Authentication methods → FIDO2 Security Key
Check following:
It is fully enabled, not just targeted.
“Allow self-service set up” is enabled.
The AAGUID for your passkey is correct and not truncated or malformed (some keys use uppercase or extra characters — copy directly from a known working session).
Test:
A clean sign-in on a fully Entra ID joined device (not hybrid) and also in an InPrivate Window with no extensions.
Even with all CAPs disabled, the Authentication Methods policy alone is enough to block FIDO2 sign-in.
Everything checks out. However there is no CAP requiring vPasskeys. Also all the user per user MFA settings are disabled