Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community
Announcing the public preview of Azure AD support for FIDO2-based passwordless sign-in
Published Jul 10 2019 09:00 AM 155K Views

Howdy folks,

 

I’m thrilled to let you know that you can now go passwordless with the public preview of FIDO2 security keys support in Azure Active Directory (Azure AD)! Many teams across Microsoft have been involved in this effort, and we’re proud to deliver on our vision of making FIDO2 technologies a reality to provide you with seamless, secure, and passwordless access to all your Azure AD-connected apps and services.

 

In addition, we turned on a new set of admin capabilities in the Azure AD portal that enable you to manage authentication factors for users and groups in your organization. In this first release, you can use them to manage a staged rollout of passwordless authentication using FIDO2 security keys and/or the Microsoft Authenticator application. Going forward you’ll see us add the ability to manage all our traditional authentication factors (Multi-Factor Authentication (MFA), OATH Tokens, phone number sign in, etc.). Our goal is to enable you to use this one tool to manage all your authentication factors.

 

Why do we feel so strongly about passwordless?

Every day, more and more of our customers move to cloud services and applications. They need to know that the data and services stored in these services are secure. Unfortunately, passwords are no longer an effective security mechanism. We know from industry analysts that 81 percent of successful cyberattacks begin with a compromised username and password. Additionally, traditional MFA, while very effective, can be hard to use and has a very low adoption rate.

 

It’s clear we need to provide our customers with authentication options that are secure and easy to use, so they can confidently access information without having to worry about hackers taking over their accounts.

 

This is where passwordless authentication comes in. We believe it will help to significantly and permanently reduce the risk of account compromise.

 

Passwordless sign in flow 2.png

 

 

Now, all Azure AD users can sign in password-free using a FIDO2 security key, the Microsoft Authenticator app, or Windows Hello. These strong authentication factors are based off the same world class, public key/private key encryption standards and protocols, which are protected by a biometric factor (fingerprint or facial recognition) or a PIN. Users apply the biometric factor or PIN to unlock the private key stored securely on the device. The key is then used to prove who the user and the device are to the service. 

 

Public preview of Azure AD support for FIDO2 based passwordless 2.jpg

 

Check out this video where Joy Chik, corporate vice president of Identity, and I talk more about this new standard for signing in. To learn more about why this should be a priority for you and your organization, read our whitepaper.

 

Let’s get you started!

To help you get started on your own passwordless journey, this week we’re rolling out a bonanza of public preview capabilities. These new features include:

  • A new Authentication methods blade in your Azure AD admin portal that allows you to assign passwordless credentials using FIDO2 security keys and passwordless sign-in with Microsoft Authenticator to users and groups.

Public preview of Azure AD support for FIDO2 based passwordless 3.png

 

Public preview of Azure AD support for FIDO2 based passwordless 4.png

 

Public preview of Azure AD support for FIDO2 based passwordless 5.png

 

FIDO2 hardware

Microsoft has teamed up with leading hardware partners, Feitian Technologies, HID Global, and Yubico, to make sure we have a range of FIDO2 form factors available at launch, including keys connecting via USB and NFC protocols. Sue Bohn has more details on those partnerships.

 

Please be sure to verify that any FIDO2 security keys you’re considering for your organization meet the additional options required to be compatible with Microsoft’s implementation.

 

passwordless.jpg

Our passwordless strategy

Our passwordless strategy is a four-step approach where we deploy replacement offerings, reduce the password surface area, transition to passwordless deployment, and finally eliminate passwords:

 

Public preview of Azure AD support for FIDO2 based passwordless 8.png

 

Today’s product launches are an important milestone for getting to passwordless. In addition, the engineering work we did to provide authentication methods management for administrators and user registration and management, will allow us to move even faster to improve credentials management experiences, as well as bring new capabilities and credentials online more simply. We’re working with our Windows security engineering team to make FIDO2 authentication work for hybrid-joined devices.

 

Of course, we look forward to feedback from you across all of these features, to help us improve before we make them generally available.

 

Regards,

 Alex (Twitter: @Alex_A_Simons)

 Corporate VP of Program Management

 Microsoft Identity Division

 

Additional links

 

95 Comments
Brass Contributor

I'm stuck on this step: 

https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-authentication-password...

 

I'm not seeing any methods to enable.  Any help would be appreciated.

Copper Contributor

Similar to @chad Snelson I Enable yes, and then select my user account as a target and hit save.  When I reload the page any changes I made go away.

Copper Contributor
Does this require Azure AD Premium licenses to work or can it also be used with Office 365 with Azure AD free tier?
Copper Contributor
i can't get past this step https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-authentication-password... Only password authentication is available: https://ibb.co/C1n3QvL User feature previews is enabled: https://ibb.co/LQRWy4k
Copper Contributor
Hi all. Same issue here. Enabled user- selected save - then, nothing happens.
Bronze Contributor

I'm beyond thrilled to see that this is finally to the public preview stage... and almost equally disappointed that yet again this awesome new feature doesn't support Hybrid AAD Joined devices.  :(

 

With that said, I'm willing to test on AAD Joined devices (not hybrid), but I'm stuck at the same point as others.  Under the section "Enable new passwordless authentication methods", it says to choose certain options under each method.  However, the list of methods on this screen is empty, just showing "No results".  

 

Perhaps these methods are still being rolled out, or some of the earlier steps required to enable this take time to propagate before the methods appear?

Folks, if some of you are still unable to access these features please email your tenant ID to swkrish AT microsoft DOT com?

 

PS: Our apologies, deployments are taking longer than intended, we expect all customers should have all the functionalities working no later than Fri evening, Pacific time zone. Thanks for your interest.

Iron Contributor

I'll join as well, facing the same issue as most people who have posted. All the pre-reqs are there, then you enable it for a group of users, hit Save and nothing happens and your saved settings are gone. :( 

Brass Contributor

Now it works with the phone signin :). But i'm missing the : "Sign in with security key" option on the portal.office.com page?

I may come overnight i guess ?

Bronze Contributor

As of this morning, I now have "Fido2 Security Key" and "Microsoft Authenticator passwordless sign-in" under methods, and I've enabled both.  Unfortunately, when I try to set up my Yubikey 5 NFC security key, I get a message that "This security key can't be used.  Please try a different one."  Yubico is listed as one of the supported vendors, and this model of key is the one that they recommend for passwordless AzureAD use, so I'm not sure what the issue is.  

 

I am trying to set it up on a Hybrid AAD Joined computer, but if I understand correctly I should be able to set it up and use it for web based authentication, it is just not supported for use at the windows lock scren.  

Copper Contributor

I receive a message when going to myprofile.microsoft.com: 

Oops, seems like the organization you tried signing into hasn't activated the new profile experience at this time. Please contact your admin for more information.
I've used Chrome and Internet 
The feature regarding Phone sign-in works well for me :)

 

Copper Contributor

Will this allow applications to offer passwordless sign on that are using Azure AD as an identity provider via SAML 2.0 or OpenID Connect?

Copper Contributor

@AnthonyClark_316  I think so authentication with integrated applications goes through the Microsoft log-in page. We've setted up SSO with SAP ByDesign if a user connects through the SAP ByDesign URL in a private browser it redirects to the Microsoft log-in page where you need to enter the corporate credentials of you're Azure AD account or AD account if you're using a Hybrid Scenario

Brass Contributor

I also had to wait a few minutes (like 30) before the auth-methods appeared in my tenant. Anyway all is working now and -if you are interested- I have written a blog-post about it: 

 

https://emptydc.com/2019/07/11/passwords-with-or-without-you/

 

Cheers,
Jan

Copper Contributor
This morning i could finish the steps and my yubikey is working. Thanks guys for the help.
Bronze Contributor

Is passwordless login to windows also supported using the Authenticator app, or just the security key? 

 

I have enabled both credentials, and my credential in the authenticator app is enabled for phone sign-in, but I'm not seeing any way to initiate a phone sign-in at the windows lock screen.  

Iron Contributor

@Steve Whitcher, I think the Windows login is (atm) only supported on pure Azure AD joined machines, not hybrid joined devices. (I am assuming you're trying this from a Hybrid AAD joined device based on your previous post :) ).

Iron Contributor

Musings after first 5 minute test with the Authenticator app option. Both Edge and Chrome prompt me for the app sign in the first time.

I choose to not keep me signed in and subsequently perform a correct logout of my session.

 

When then choosing to sign in again from the office.com page, I get prompted for my password and not the app sign in :(

 

If I close the browser and re-open and go back to office.com to sign in, I get the app sign-in again. I don't know about the rest of you but I find that weird and not a very nice or consistent experience.

I might be doing something wrong but if I am, I don't know what it is :)

 

P.S. is there a way to remove the 'sign in with a password instead' option so only app is possible and if so, which are 'backup methods' in case you forgot your phone at home?

Copper Contributor

Still waiting for the authentication methods to show up in our subscriptions. Been waiting for more than 24 hours now

Copper Contributor

I contact Office 365 tech support for issue enabled "Authentication method policy (Preview)" but not show the new authentication methods appeared in my Office 365 tenant.

 

Below is tech support suggest me to use powershell for enable passwordless authentication method

 

  1. Search  windows powershell  in your computer ,right click powershell and choose run as an administrator
  2. To confirm whether you have this version installed ,run : Get-Module -Name AzureAD -ListAvailable  
  3. If you currently have the Azure AD PowerShell module installed and it’s not at least version 2.0.2.5, you’ll need to uninstall it. To do this, run:

    Uninstall-Module -Name AzureAd

  4. If you don’t have the Azure AD PowerShell module installed, or you’ve just uninstalled it, you’ll need to install it by running:

    Install-Module -Name AzureADPreview

  5. Enabling Passwordless Authentication for a single Office 365 tenant, run:

    Connect-AzureAD

    New-AzureADPolicy -Type AuthenticatorAppSignInPolicy -Definition '{"AuthenticatorAppSignInPolicy":{"Enabled":true}}' -isOrganizationDefault $true -DisplayName AuthenticatorAppSignIn
Copper Contributor

Hi,

adding the security key works fine. Windows 10 Sign-in as well.

However, I can't seem to get any browser to use the key for any sign-in to corporate resources (personal Microsoft Accounts work).

Firefox prompts "This security key doesn't look familiar." and Edge (up-to-date) doesn't even give me the option use a security key as sign-in option.

Does anybody else have these issues?

btw: I am using a Feitian BioPass key.

 

Thanks,

Chris

 

Copper Contributor

@ChristianMueller We have the exact same issue. We are able to login to Windows with the security key, however logging into Azure Portal or the Office 365 portal in Firefox we get prompted "This security key doesn't look familiar" and in Edge there is no option at all to login with a security key. 

 

We are using Yubikey 5 NFC keys 

Copper Contributor

can someone tell me how to get the login page on Azure or Office which support security key ? on portal.azure.com nothing to select a security key...

thank you

Copper Contributor

@crapitouille 

 

In Firefox browse to portal.azure.com or portal.office355.com or login.microsoftonline.com you need to ensure you are signed out and then click "Sign-in Options" at the bottom, then "Sign in with Windows Hello or a security key". It will prompt you to insert your security key into the USB port or Tap on the NFC, then when you do that it will say something along the lines of "The security key doesn't look familiar, please try another one. In Edge we are not prompted with any other additional sign-in options other than sign-in with GitHub. 

 

Windows Hello sign-ins for Windows Logon is working flawlessly, unfortunately portal logins are not. Its in preview though, so probably expected not to work :) 

Copper Contributor

Good stuff! I went to test this out in my test tenant. I am using Win 10 1803. After enabling FIDO2, when I try register a user for the "Security key" method, I get:

 

"We detected that this browser or OS does not support FIDO2 security keys."

 

Does this require Win 10 1809+? Isn't FIDO2 a matter of browser support - and OS agnostic? Will the AAD implementation of FIDO2 eventually support MacOS and mobile devices (using a NFC-capable key)?

 

 

Our apologies, deployments are taking longer than intended. We expect all customers should have all the functionalities working no later than Friday evening, Pacific time zone. Thanks for your enthusiasm!

Copper Contributor

Hello,

 

Following the instructions at https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-authentication-password... there are a few issues. When I am trying to register the security key with my fingerprint, the Set up button is grayed out. This is with a Feitian FIDO2 BioPass security key which has the fingerprint sensor. The Windows 10 version is 1903 enterprise.

 

securitykey.png

 

Also, although I get this option in the Windows 10 sign-in settings of the computer, I don't get the option to register the security key at https://myprofile.microsoft.com

myprofilesecuritysettings.png

 

 

 

 

 

 

 

 

 

 

 

 

 

 

EDIT: ok, I was able to set the fingerprints after first resetting the security key and then setting a PIN on it. After setting a PIN, the option to set fingerprints was enabled. But now I have another issue: although I seem to have finished the setup of the security key, when I attempt to sign-in to my account with it at the Windows sign-in screen, it simply says "This security key doesn't look familiar. Please try a different one."

 

I'm stumped. Appreciate any help with this!

Copper Contributor
Nice, when is support for non microsoft operating systems goin to being added?
Copper Contributor

@MicrosoftEntraTeam 

Everything works fine now :) Such a great addition to Azure AD!

Copper Contributor

Thanks for the update. What is the strategy & status & timing concerning AAD B2C with FIDO2 passwordless Azure Identities?

Iron Contributor

Hoping to start helping organisation move further forward with passwordless approach also.

Definitely need to increase internal passwordless adoption.

 

I've purchased a Yubikey 5 NFC and enrolled it through the AAD security methods, works fine for browser sign in (although not through chrome at all) but getting nowhere with windows sign in.

Using AAD joined cloud managed device, at the sign in screen i can plug the yubikey in but it says "No valid certificates were found on this smart card"

 

I have turned the "make your device password-less" option.

Running 10 insider Enterprise 18941 190713-1700

 

The manage security key menu gives me the option to change PIN (tried that) and reset it to factory.

 

Any one else run into this?

This could be the missing piece to allow widespread passwordless for many of our users who have devices without Hello biometrics capabilities

Copper Contributor

In regards to the Microsoft Authenticator passwordless sign-in method, has anyone else had trouble with it not sending push notifications to mobile devices? Such as reported here (https://github.com/MicrosoftDocs/azure-docs/issues/30680)?

 

I have enabled my user in my tenant using the new options in the Azure Portal, i had not previously tried to enable a policy using the PowerShell cmdlets as mentioned by @fordantitrust above. My user now triggers the passwordless flow, however I have to manually open up the Microsoft Authenticator app to begin my interaction. I do not receive a prompt via a push notification.

 

Do I need to still execute the New-AzureADPolicy cmdlet to enable the push notifications? What is the impact of that policy, will it enable this preview for all my users who are using the Microsoft Authenticator app? Running the Get-AzureADPolicy cmdlet returns no similar policies in my tenant, which presumably would have been created if needed by the enabling of my user through the portal.

 

Update: Just in case someone else finds this, I resolved this issue by going into the Microsoft Authenticator app, choosing to "Disable phone sign-in" for my AAD Work Account, and then enabling it again right after. This updated the icon in the https://myprofile.microsoft.com portal from a normal MS Authenticator padlock icon, to a phone sign-in icon like you see in the app itself. After about half a day, the push notifications then started working for the passwordless sign-in flow. I'm guessing that as part of the preview, this particular flow of "a user has already hit the enable phone sign-in option in the app for the AAD user, before they are enabled for the passwordless sign-in flow" is not quite covered yet.

Brass Contributor

Hi All,

 

I've configured my Azure AD joined Windows 10 (1903 OS Build 18947.1000) device with my Yubikey NFC 5. I was wondering about the sign-in behavior. When I sign-in I will get the following screens

 

1. Enter Security Pin

2. Touch the Yubikey Gesture.

 

Is it possible to configure the sign-in without the Security Pin? Because I know a Security Pin is not a password, but I would like to login with only the Yubikey. 

 

I hope somebody knows the answer.

Copper Contributor

This is for Windows only? Thought Office365 was platform independent :smile:

Copper Contributor

Is there any plan for adding U2F as a second factor?  AAD sometimes asks for additional verification with a second factor before a user can perform sensitive operations, and currently FIDO2 security keys cannot be used in those scenarios.  I really want to make sure that my account can be used without a phone (online or not).  @Alex Simons (AZURE)

Iron Contributor

Has anybody else come across the following?

 

I have a YubiKey 5 NFC and I run through the steps to set it up via https://mysignins.microsoft.com/security-info , it's detected, I enter the PIN and then at the end you're prompted with a screen to give the key a name. Whatever I put in there, it will always error with 'We're sorry. We ran into a problem'.

I have tried to set it up on several computers and using several browsers (Chrome, Edge, Chredge canaray, dev and beta) but no go.

fido-error.jpg

 

I started to think the YubiKey was broken but I can set it up just fine on other online services that support it.

Copper Contributor

Now works with latest version of Chrome for mac and Edge for mac

Copper Contributor

Any word on support for non hybrid Active Directory?

Bronze Contributor

So, after setting it up and going to the Security info page to change the Default sign-in method to Security key, I was surprised to see that "Security key" isn't in the list of choices when you go to change the default.  To be clear, "Security key" is showing lower down on that page, along with the others (authenticator, etc), just not when changing the default.

 

Why? The closest choice available is one that mentions authenticator+hardware token. Choosing that involves the authenticator app.

Copper Contributor

@Steve Hernou 

 

Has anybody else come across the following?

 

I have a YubiKey 5 NFC and I run through the steps to set it up via https://mysignins.microsoft.com/security-info , it's detected, I enter the PIN and then at the end you're prompted with a screen to give the key a name. Whatever I put in there, it will always error with 'We're sorry. We ran into a problem'.

I have tried to set it up on several computers and using several browsers (Chrome, Edge, Chredge canaray, dev and beta) but no go.

 

 

I started to think the YubiKey was broken but I can set it up just fine on other online services that support it.

 

I am having the exact same issue. Everything appears to work, right up to the last step of giving the key a "nickname". I've tried this in the Edge Dev browser and Chrome 76 and Chrome 77 and I get the same error in all of them.   I know my yubikey works just fine, I use it everyday for other services.

 

clipboard_image_1.png

 

 

Iron Contributor

@Steve Hernou @n0creativity exactly the same experience for me too :(

Copper Contributor

Any way to report on who is registering a security key in your tenant?   I don't see it logged specifically in "Audit Logs" and "Usage and Insights" just totally ignores this registration method.  

Copper Contributor

Is everyone who is setting this up checking all the pre-reqs (I know some aren't because I see people posting about 1803)

 

From the top of this page are pre-reqs: (https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-authentication-password...)

  • Azure Multi-Factor Authentication
  • Combined registration preview with users enabled for SSPR
  • FIDO2 security key preview requires compatible FIDO2 security keys
  • WebAuthN requires Microsoft Edge on Windows 10 version 1809 or higher
  • FIDO2 based Windows sign in requires Azure AD joined Windows 10 version 1809 or higher

 

Also scroll down to list of supported FIDO2 keys. NO, not U2F

https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-authentication-passwo...

 

 

Also don't forget to enable the preview combined registration page support (which is also as of today still in preview):

https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-registration-mfa-sspr-c...

Side-implication, you must be willing to have self service password reset enabled on the tenant, and then enable the preview.

 

I have this working with a K27 from Feitian but I had to first wait for the preview combine registration process to show up for users.

 

Note: I do not know if, even in a cloud only AzureAD, if you use self-hosted Microsoft MFA server if this is supposed to work yet. I would think that wouldn't occur until Hybrid support is available. So for those of you who have had MFA since BPOS days you might have some oddities.

 

I am hoping to test some other keys in the next month or so (the eWBM fingerprint keys and the feitian k33 multikey are what I am hoping to get next).

 

Security Questions:

  • Anyone in the red-team security side see about extracting fingerprint data from a key - either when inserted into compromised device or if user "lost" it.
  • And can Windows Security and/or Windows Defender ATP detect and alert on the insertion of a broken/compromised FIDO2 key.
    I.e. does inserting the wrong FIDO2 key count as a bad password attempt? 

Preview Feature I am hoping comes next (even before Hybrid:(

  • Handling scenario where user reports a security key is lost.

-Neil

Copper Contributor

Works perfectly for Azure AD Joined devices in my test environment. Any ETA for when this will be available to preview for Hybrid Azure AD Joined devices and will it be integrated with Windows Hello for Business?

 

- Adam

Copper Contributor

The FIDO2 method sounds very much like "chip and PIN".

 

In western Europe, when we pay in shops using credit or debit cards, we use "chip and PIN"; insert your credit or debit card into the reader, then enter your 4 digit PIN.  This is two factor authentication for payments [something you have (chip) and something you know (PIN)].  In the UK at least, everyone understands what "chip and PIN" means.

 

If I have understood this correctly, and FIDO2 method is indeed "chip and PIN", then you could consider calling it "chip and PIN".  This would *INSTANTLY* make sense to everyone in the UK - no further explanation required!

 

[I understand the US doesn't generally use "chip and PIN"; that's fine, leave the full explanation in there too].

 

Microsoft

@Steve Hernou  @n0creativity @Rob Hardman 

When you added yourself to passwordless authN methods in Azure, check to make sure it wasn't done via a distribution group. That will produce the something went wrong error.

Iron Contributor

@Ash_677-1 

 

Thanks for the tip. I will keep this in mind. Is this a known bug the product group is working on? It does not seem to affect the authenticator app passwordless option because that is scoped to a group on my tenant as well and that works like a charm.

 

 @n0creativity @Rob Hardman @Steve Whitcher 

 

Finally took the time to dig a bit deeper on the inability to register my Yubi5 key and contacted MS support.

 

It appears the reason I cannot even register the key on my tenant is because I am using a hybrid AD joined device to do the action from.

That's also the reason why I was able to successfully register the key on my test O365 tenant where my device is not hybrid joined to.

 

I have a spare device that's pure Azure AD joined so I am going to try and register the key from that device.

Iron Contributor

@Steve Hernou That’s interesting. Unfortunately I have been trying it from a pure AADJoined device so don’t think it applies in my case. I might open my own support case to get some specific logs/telemetry to the product team. Thanks anyway

Iron Contributor

@Ash_677-1Now your tip may indeed be the root cause for me. I chose an O365 group (security groups weren’t a specified requirement on the product info page at the time, if my memory serves…)

 

I will retry with a dedicated AAD security group. 

Microsoft

@Rob Hardman  @Steve Hernou  I don't know if the product group is working on it, it doesn't affect the authenticator app. Also, for what its worth, the Azure audit log will list an error for UnknownFutureValue when I found the correlation ID. Process of elimination to figure out it was a dist group issue.

Version history
Last update:
‎Aug 03 2020 01:49 PM
Updated by: