SOLVED

Microsoft Entra ID (Azure AD) support for Passkeys

Brass Contributor

Hi,

Has anyone seen any reference or blog as to when Microsoft Entra ID (Azure AD) will support Passkeys on iOS or Android devices and will this be classified as Phishing-Resistant MFA under Conditional Access Sign In policies.

When you navigate to aka.ms/mysecurityinfo and attempt to enroll and new Security Key it now defaults to a QR Code to setup a Passkey and lets you go through the enrollment process however once you reach the final stage to give the Passkey a logical name under your account it prompts with an error message (see below).

We have been using YubiKey as a FIDO2 Security Key for Phishing-Resistant MFA however as this is not supported for use with iOS and Android and has limited support for macOS we are hoping that Passkeys will be able to fill this gap.

We have also explored Azure CBA however we do not have an existing PKI infrastructure and managing the lifecycle of certificates is painful and expensive compared to the cost of using a FIDO2 Security Key or Passkey.

mcoombe_0-1689974494502.png

 

25 Replies

@mcoombe 

I tried to search the same but seems not under the roadmap yet

@Kidd_Ip I heard back from some contacts at Microsoft and all they could provide was a link to this article which juts states that "multi-device passkeys" are not yet supported in Azure AD.  :crossed_fingers: it will be sometime in 2023 and will be added as a new option under Authentication Methods in Entra ID.

https://learn.microsoft.com/en-us/answers/questions/1103278/can-you-add-an-apple-passkey-security-ke...

I suspect the MS won't release support for Passkeys in Azure AD until such time as this is support in the Microsoft Authenticator Mobile App. LastPass and 1Password have announced support for Passkeys for my guess is MS will want to keep this in their ecosystem (which would also be my preference)

@mcoombe I saw this article today, and it isnt clear how this will work, but it reads as if support on mobile is imminent: https://www.microsoft.com/en-us/security/blog/2023/09/26/new-security-features-in-windows-11-protect...

@aleve111just in case you have not seen the update from Microsoft Ignite they will start supporting Passkeys in Microsoft Entra ID from January 2024 and this includes an upgrade to the Microsoft Authenticator mobile app with Passkey support :thumbs_up:

 

https://youtu.be/etYPAam9Nvs?si=hJ5mjzA1HLvx5Ld_

https://techcommunity.microsoft.com/t5/microsoft-entra-azure-ad-blog/what-s-new-in-microsoft-entra/b... 

 

Anything new here in Jan 2024 with regard to Passkeys + M365?

 

Will there be support for Password Manager apps like Bitwarden that support Passkeys to log in to 365 Admin Portal?

@mcoombe Eagerly awaiting passkey support for Entra ID.  I find it utterly insane that it isn't working with enterprise 365 tenants as a priority.

@Jethro_Rose Same, Business and Enterprise customers needs this ASAP, could not come soon enough. 

@Jethro_Rose 100% agree and I am eagerly waiting for an update from Microsoft. Last update I saw suggested mid-March but that has now well passed. In my opinion this is a critical security control to improve authentication of M365 and connected SSO apps and although Windows Hello for Business meets the FIDO2 requirement for phishing resistant MFA there are many scenarios where device bound passkeys using the Microsoft Authenticator app on iOS or Android are required.

March has come and gone, still no passkeys. We contacted MS support about this and they said that the feature would appear in the "Preview features" area of Entra ID:

Drogon1635_0-1712271649115.png

But I am skeptical that it will appear here.

 

We have followed the instructions to configure the following in our test tenant, the AAGUID's are not easy to find. We believe reading this that the only way to opt in is to do the part in red?

 

"

In the Entra admin portal, we will be renaming “FIDO2 security keys” to “Passkeys (FIDO2)” within the authentication methods policy and Conditional Access authentication strengths policy.

For your organization to opt-in to this preview, you will need to enforce key restrictions to allow specified passkey providers in your FIDO2 policy. Here are the possible configuration states for FIDO2 key restrictions during the preview:

  • No key restrictions (FIDO2 policy default): Tenant allows all security key models. Device-bound passkey providers on computers and mobile devices are not allowed.
  • Key restrictions set to "Allow": Tenant only allows the explicitly added AAGUIDs. To enable a device-bound passkey provider, add their AAGUID(s) to the key restrictions list.
  • Key restrictions set to "Block": Tenant blocks the explicitly added AAGUIDs and allows all other security key models. Device-bound passkey providers on computers and mobile devices are not allowed."

Still not working, same error when naming the passkey that you guys are seeing. 

 

I do not understand how Microsoft can have this is an error state for so long and now that "Passkey (Preview)" is now also showing for us when configuring Authentication methods it makes it even worse. 

 

Microsoft, if it is not ready for production don't show us enticing setup wizards that are made to fail until release, its been months!

yup i just did the bit in red and added all the obvious windows hello, icloud and edge AAGUIDS from here https://passkeydeveloper.github.io/passkey-authenticator-aaguids/explorer/. did you find any others? I also hit the same issues you see, i saw the new preview UI as a user (but not on the azure side) and enrollment still failed.

@Drogon1635 last update I saw on Twitter was that an announcement on this was coming in the next 1-2 weeks so :crossed_fingers:.  I would recommend subscribing to https://entra.news/ as this is a great weekly source of information regarding changes to Microsoft Entra 

@mcoombe@Drogon1635 I can setup the Passkey in Microsoft Authenticator (Preview) today!!!

Kyle_Lam_0-1712913626882.png

 

https://learn.microsoft.com/en-us/entra/identity/authentication/how-to-enable-authenticator-passkey

 

For the iCloud Keychain passkey, my Entra ID is not yet supported. I attempted to add a passkey in the Microsoft Authenticator and a Security Key, but both attempts failed. Fortunately, I can still use the passkey in Microsoft Authenticator.

@Kyle_Lam This is promising. I'm still not able to see the "Passkey (FIDO2)" under my Azure "Authentication methods | Policies", mine still says "FIDO2 security key". I believe Microsoft only intends to support Passkeys in their native app Microsoft Authenticator at least for the short term. 

Cancel this, it is working. Wording still shows "FIDO2 security key", but after I added the two AAGUIDs the option appeared.

@STACDRU glad to hear that! I added the AAGUID and then the passkey for Microsoft Authenticator appear. I wonder how to enable the icloud keychain passkey as well. 

I found that there are 3 passkey settings when I query the Graph Explorer API, but I have no idea how to enable it.

 

"defaultPasskeyProfile": null,
"allowedPasskeyProfiles": []
"passkeyProfiles": []
From what Microsoft has said, they don't plan to allow that. Issue with iCloud Passkeys is they are account bound, not device bound. Your Passkey through Microsoft Authenticator on your iPhone cannot be moved, or synced to your iPad, it also cannot be shared with anyone. iCloud Passkeys are account bound, are synced between iCloud devices, and can be shared with people, so they are less secure.
I think the bigger issue with this setup is it requires you to default your iPhone to use Microsoft Authenticator for Passwords and Passkeys. This will be a major issue for anyone already using a Password Manager.
This is exciting news people! Still sadly not working for us in our tenant yet.

Would someone mind sharing the AAGUID numbers you have added?

Thanks!
1 best response

Accepted Solutions
best response confirmed by mcoombe (Brass Contributor)
Solution
This is the best article I have seen so far regarding background and setup requirements for Microsoft Authenticator Passkeys in Entra ID

https://janbakker.tech/get-started-with-passkeys-in-microsoft-365/

View solution in original post