Microsoft Entra ID (Azure AD) support for Passkeys
Hi, Has anyone seen any reference or blog as to when Microsoft Entra ID (Azure AD) will support Passkeys on iOS or Android devices and will this be classified as Phishing-Resistant MFA under Conditional Access Sign In policies. When you navigate to aka.ms/mysecurityinfo and attempt to enroll and new Security Key it now defaults to a QR Code to setup a Passkey and lets you go through the enrollment process however once you reach the final stage to give the Passkey a logical name under your account it prompts with an error message (see below). We have been using YubiKey as a FIDO2 Security Key for Phishing-Resistant MFA however as this is not supported for use with iOS and Android and has limited support for macOS we are hoping that Passkeys will be able to fill this gap. We have also explored Azure CBA however we do not have an existing PKI infrastructure and managing the lifecycle of certificates is painful and expensive compared to the cost of using a FIDO2 Security Key or Passkey.
CA policy for corporate devices
I would like to create a conditional access policy to block all non corporate devices from accessing Office 365 resources. I created a policy: Applies to -> User Group Applies to -> all resources Applies to -> Win 10 Filter for devices exception-> Ownership: company & trust type: Entra Hybrid joined. Action: block The above works fine for office desktop login, i.e. blocks non corporate devices and allows corporate devices. However, a side effect is that sign ins from browser on a corporate device is still blocked.
Exclude Microsoft first party applications in Azure conditional access policy
We have app built on Microsoft Graph resource and we have a conditional access policy that targets all cloud apps. when users sign into this app using Chrome browser on iOS they get error and prompt to use Edge. We do not want users to change the browser and tried to exclude Microsoft Graph from CA policy using all options including API but fails with the below error. Policy contains invalid applications: unsupported firstpartyapplication. Is there a way to exclude Microsoft Graph from the policy?
