Forum Discussion
Passkey Sign in Method (Entra Account) missing in Security
we enable FIDO2 passkey in entraId. However, when we try to register the FIDO2 passkey on myaccount.microsoft.com -> Security -> Add a Sign-in Method -> Passkey is missing. Attached screenshot.
For a personal account, the Passkey method is available at the same location, even though interface is slightly different than an Entra Id account. Attached screenshot for the personal account as well.
Kindly guide us on where to register the passkey or if we need to enable certain settings in EntraId for the passkey to show up in sign-in methods.
We have Auth Strengths enabled in EntraId for the particular user in question and this reflects in the Device Lockscreen during login on Entra Registred Device.
Thanks
Chandra
Hi Chandra,
For Entra ID accounts, I would check the Authentication Methods policy first.
In the Entra admin center, go to:
Protection > Authentication methods > Policies > Passkey (FIDO2)
Make sure that:
- Passkey (FIDO2) is enabled.
- The user is included in the target group.
- “Allow self-service set up” is set to Yes.
- If you are using passkey profiles, the correct profile is assigned.
- The user is using the work/school Security Info page, not the personal Microsoft account page.
The registration page should be:
https://mysignins.microsoft.com/security-info
Then select:
Add sign-in method > Passkey
If “Allow self-service set up” is disabled, users may not see the Passkey option in Security Info even if Passkey (FIDO2) is enabled in the tenant.
Microsoft documentation:
https://learn.microsoft.com/en-us/entra/identity/authentication/how-to-authentication-passkeys-fido2
https://learn.microsoft.com/en-us/entra/identity/authentication/how-to-register-passkey
3 Replies
Hi Lucaraheller DerekMorgan2
We enabled all the settings as mentioned by you. This was not apparently the issue.
Auth Mehotds -> Passkeys (FIDO2). It seems adding user to a particular group and enabling was not effective. When All Users was selected, the Passkeys are now visible back in my account.
This can be closed.
ThanksChandra
Hi chandraO ,
If self-service setup is already on and the user is in scope, the next place I'd look is key restrictions. Under Protection > Authentication methods > Passkey (FIDO2) > Configure, check Enforce key restrictions. If it's on with an Allow list, any authenticator whose AAGUID isn't on that list gets blocked, and the Passkey option won't show in Security Info even with everything else set correctly.
Worth separating out one more thing: the Auth Strength you have enabled governs what satisfies a sign-in. That's a different control from what makes a method registerable, so it showing on the Entra lockscreen is expected and doesn't drive whether Passkey appears under Add sign-in method. Easy to read the two as the same gate when they aren't.
If key restrictions are clear and it's still missing, happy to dig further.
Hi Chandra,
For Entra ID accounts, I would check the Authentication Methods policy first.
In the Entra admin center, go to:
Protection > Authentication methods > Policies > Passkey (FIDO2)
Make sure that:
- Passkey (FIDO2) is enabled.
- The user is included in the target group.
- “Allow self-service set up” is set to Yes.
- If you are using passkey profiles, the correct profile is assigned.
- The user is using the work/school Security Info page, not the personal Microsoft account page.
The registration page should be:
https://mysignins.microsoft.com/security-info
Then select:
Add sign-in method > Passkey
If “Allow self-service set up” is disabled, users may not see the Passkey option in Security Info even if Passkey (FIDO2) is enabled in the tenant.
Microsoft documentation:
https://learn.microsoft.com/en-us/entra/identity/authentication/how-to-authentication-passkeys-fido2
https://learn.microsoft.com/en-us/entra/identity/authentication/how-to-register-passkey
