Unlocking Passwordless Security: A Step-by-Step Guide to Configuring FIDO2 Security Keys with Microsoft Entra ID

 

As organizations move towards stronger authentication methods, passkeys (FIDO2) are becoming increasingly popular. Microsoft Entra ID supports passkeys, allowing users to authenticate securely without relying on traditional passwords.

Good news is that Microsoft Entra ID now supports device-bound passkeys stored on FIDO2 security keys and Microsoft Authenticator. Microsoft is dedicated to enhancing security and is actively investing in both synced and device-bound passkeys for work accounts.

In this blog, I'll demonstrate how to configure FIDO2 security with Entra ID for passwordless user authentication. I'll be using the FEITIAN ePass K40 Security Key as an example to guide you through the process.

Prerequisites for Enabling Passkeys

Before enabling passkeys, ensure your organization has:

• Microsoft Entra multifactor authentication enabled.
• FIDO2 security keys that are compatible with your devices.
• Supported devices running Windows 10, version 1903 or later, or other compatible operating systems.

Step-by-Step Guide to Enable Passkeys

1. Sign in to the Microsoft Entra admin center as an Global Administrator\Authentication Policy Administrator. 

2.Navigate to Protection > Authentication methods > Authentication method policy.

3.Enable the Passkey(FIDO2) method by toggling it on. 

4.Choose to apply this to All users or select specific security groups.

5.Select Configure to Make Additional Settings

•  For optimal configuration, keep "Allow self-service setup" set to Yes, ensuring users can register passkeys via MySecurityInfo
• Set "Enforce attestation" to Yes to verify the legitimacy of FIDO2 security keys or passkey providers
• If you need to restrict specific security key models, enable "Enforce key restrictions" and work with vendors to determine their AAGUID (Can find FIDO2 security key models ). Note that removing a previously allowed AAGUID will prevent users from signing in with those methods.

Note: 1.  For FIDO2 security keys, it's required that the security key metadata is published and verified through the FIDO Alliance Metadata Service and passes additional validation testing by Microsoft. For more details, refer to the guide on becoming a Microsoft-compatible FIDO2 security key vendor.

        2. For passkeys in Microsoft Authenticator, Microsoft don't currently support attestation.

        3. Attestation enforcement governs whether a passkey is allowed during registration only. Users who are able to register a passkey without attestation will not be blocked during sign-in if Enforce attestation is set to Yes at a later time.

        4.FIDO2 security keys eligible for attestation with Microsoft Entra ID can be found FIDO2 security key models .or view the authentication method details of the key per user.

I plan to write another blog that will focus on configuring and testing Microsoft Authenticator Passkeys.

6.Click Save Button to Save the Passkey configuration

User Passkey Registration

Now, let’s unbox the FEITIAN ePass K40 and connect it to the laptop via the USB Type-C port. This key is equipped with USB Type-C and NFC support, making it versatile and easy to use.

I connected the FEITIAN ePass K40 to my Windows 11 device to begin the setup.

To register a passkey (FIDO2) as an authentication method, users should navigate to the My Account Page then go to My Security Info page in their browser.

 From there, click on "Add sign-in method," select "Security Key," and then click "Add" to continue the process

Sign in with multifactor authentication (MFA) before adding a passkey, then click Next.

Note: If you haven’t registered at least one MFA method, you’ll need to add one. Alternatively, an Authentication Policy Administrator can issue a Temporary Access Pass to allow a user to authenticate securely and register a Security Key.

A new security prompt will appear, asking you to choose the type of security key: USB device or NFC device. Since we’re currently connected via the USB port, proceed by selecting the USB option.

After selecting the USB option, another prompt will appear asking you to connect the security key to the USB port and then click Next to proceed.

After clicking the Next button, a confirmation page will appear, guiding you to the Security Window to complete the remaining configuration steps.

In the Security Window, you’ll be prompted to select the location where you want to save your passkey. Since we've already connected our USB Security Key, choose the Security Key option to proceed.

After confirming the passkey location, another security prompt will appear, displaying the user who initiated the request and the source of the request. To continue, press the OK button.

After confirming the Security Key setup prompt, another security prompt will appear, indicating that the Security Key is being configured. This message will keep you informed of the ongoing setup process. Press OK to Continue

Next, you'll need to set up a PIN for your Security Key. You'll be prompted to either create a new PIN or enter an existing one. Then Press OK

After that, perform the required gesture associated with your security key to complete the setup(In my case, simply touching the Security Key button on my ePass K40 to complete the setup).

After your passkey is successfully saved, you'll see a confirmation page similar to the screenshot below. Press OK

After pressing the OK button, you can return to the Security Info page in your browser. You'll be prompted to assign a name to your newly added Security Key. Be sure to provide a meaningful name to easily differentiate this key from others. Press Next to Continue 

Once you save the Security Key name, a confirmation message will appear to confirm the setup. Click "Done" to complete the process.

If you check the Security Info page, you'll see your current sign-in methods, including the Security Key name you assigned, the Security Key AAGUID, and the registration date. You can also delete any sign-in methods from this page if needed.

Testing User Sign-in with a Security Key (FIDO2)

We will test the user sign-in process on portal.office.com using the Security Key we recently registered. 

We'll validate two scenarios: first, by entering the user ID and signing in with the Security Key, and second, by using the sign-in options from the Office login page.

To begin, open portal.office.com, enter the user ID, and you'll be prompted to select the Security Key and enter your PIN. 

The following screenshots illustrate the process flow.

Enter the User ID and Press Next

Security Window will be Prompted to choose the Security Key

Choose Security Key and Press Next

Enter the Security Key PIN which we already configured for this Key and then press OK

Touch the Security for User Confirmation (Gesture)

User successfully logged in using the Security Key.

Now, let's test the user sign-in process without entering the User ID by using the M365 sign-in options.

Open portal.office.com and click on "Sign-in options" at the bottom of the page.

On the next page, select the option for "Face, fingerprint, PIN, or security key."

Upon selecting the security key option, a new Security Window will open, prompting you to choose your Security Key.

Select the Security Key and Press Next

Enter the Security Key PIN and Press OK

Touch and Confirm the User input

User successfully signed in to the M365 Portal using the sign-in options with the Security Key.

Conclusion

In summary, setting up FIDO2 Security Keys with Microsoft Entra ID offers a secure and convenient passwordless authentication solution. By following the steps in this guide, you can enhance your organization’s security while reducing reliance on traditional passwords. Stay tuned for more updates on setting up Passkeys with Microsoft Authenticator!