Forum Discussion
Solved
Microsoft Entra ID (Azure AD) support for Passkeys
Hi,
Has anyone seen any reference or blog as to when Microsoft Entra ID (Azure AD) will support Passkeys on iOS or Android devices and will this be classified as Phishing-Resistant MFA under Conditional Access Sign In policies.
When you navigate to aka.ms/mysecurityinfo and attempt to enroll and new Security Key it now defaults to a QR Code to setup a Passkey and lets you go through the enrollment process however once you reach the final stage to give the Passkey a logical name under your account it prompts with an error message (see below).
We have been using YubiKey as a FIDO2 Security Key for Phishing-Resistant MFA however as this is not supported for use with iOS and Android and has limited support for macOS we are hoping that Passkeys will be able to fill this gap.
We have also explored Azure CBA however we do not have an existing PKI infrastructure and managing the lifecycle of certificates is painful and expensive compared to the cost of using a FIDO2 Security Key or Passkey.
- This is the best article I have seen so far regarding background and setup requirements for Microsoft Authenticator Passkeys in Entra ID
https://janbakker.tech/get-started-with-passkeys-in-microsoft-365/
Awesome conversation!
I was working on this yesterday and this is My Signins will look like after I put in the AAGUID
Here is a movie of all the steps I took in order to go to My Signs to Entra to Fidos Key.
Sorry - I had to put into Snagit App Cast bc I am setting up Entra External Users. Would have used Stream on Sharepoint but in the middle of a project.
- This is the best article I have seen so far regarding background and setup requirements for Microsoft Authenticator Passkeys in Entra ID
https://janbakker.tech/get-started-with-passkeys-in-microsoft-365/ - This is exciting news people! Still sadly not working for us in our tenant yet.
Would someone mind sharing the AAGUID numbers you have added?
Thanks!- Authenticator for Android: de1e552d-db1d-4423-a619-566b625cdc84
Authenticator for iOS: 90a3ccdf-635c-4729-a248-9b709135078f
Try following the steps in this post
https://twitter.com/NathanMcNulty/status/1778496485782602110mcoombe, Thanks for these.
Since adding those AAGUIDs I now see this:
I got all excited by the new screens only to be left disappointed at the end when the Microsoft Authenticator app on my iPhone tells me Passkeys is not yet supported. Couldn't get a screenshot as its not on the screen long enough. maybe not yet enabled on our Tenant or in Australia.
March has come and gone, still no passkeys. We contacted MS support about this and they said that the feature would appear in the "Preview features" area of Entra ID:
But I am skeptical that it will appear here.
We have followed the instructions to configure the following in our test tenant, the AAGUID's are not easy to find. We believe reading this that the only way to opt in is to do the part in red?
"
In the Entra admin portal, we will be renaming “FIDO2 security keys” to “Passkeys (FIDO2)” within the authentication methods policy and Conditional Access authentication strengths policy.
For your organization to opt-in to this preview, you will need to enforce key restrictions to allow specified passkey providers in your FIDO2 policy. Here are the possible configuration states for FIDO2 key restrictions during the preview:
- No key restrictions (FIDO2 policy default): Tenant allows all security key models. Device-bound passkey providers on computers and mobile devices are not allowed.
- Key restrictions set to "Allow": Tenant only allows the explicitly added AAGUIDs. To enable a device-bound passkey provider, add their AAGUID(s) to the key restrictions list.
- Key restrictions set to "Block": Tenant blocks the explicitly added AAGUIDs and allows all other security key models. Device-bound passkey providers on computers and mobile devices are not allowed."
Still not working, same error when naming the passkey that you guys are seeing.
I do not understand how Microsoft can have this is an error state for so long and now that "Passkey (Preview)" is now also showing for us when configuring Authentication methods it makes it even worse.
Microsoft, if it is not ready for production don't show us enticing setup wizards that are made to fail until release, its been months!
Drogon1635 last update I saw on Twitter was that an announcement on this was coming in the next 1-2 weeks so 🤞. I would recommend subscribing to https://entra.news/ as this is a great weekly source of information regarding changes to Microsoft Entra
mcoombe@Drogon1635 I can setup the Passkey in Microsoft Authenticator (Preview) today!!!
https://learn.microsoft.com/en-us/entra/identity/authentication/how-to-enable-authenticator-passkey
For the iCloud Keychain passkey, my Entra ID is not yet supported. I attempted to add a passkey in the Microsoft Authenticator and a Security Key, but both attempts failed. Fortunately, I can still use the passkey in Microsoft Authenticator.
- yup i just did the bit in red and added all the obvious windows hello, icloud and edge AAGUIDS from here https://passkeydeveloper.github.io/passkey-authenticator-aaguids/explorer/. did you find any others? I also hit the same issues you see, i saw the new preview UI as a user (but not on the azure side) and enrollment still failed.
mcoombe Eagerly awaiting passkey support for Entra ID. I find it utterly insane that it isn't working with enterprise 365 tenants as a priority.
Jethro_Rose 100% agree and I am eagerly waiting for an update from Microsoft. Last update I saw suggested mid-March but that has now well passed. In my opinion this is a critical security control to improve authentication of M365 and connected SSO apps and although Windows Hello for Business meets the FIDO2 requirement for phishing resistant MFA there are many scenarios where device bound passkeys using the Microsoft Authenticator app on iOS or Android are required.
Jethro_Rose Same, Business and Enterprise customers needs this ASAP, could not come soon enough.
Kidd_Ip I heard back from some contacts at Microsoft and all they could provide was a link to this article which juts states that "multi-device passkeys" are not yet supported in Azure AD. 🤞 it will be sometime in 2023 and will be added as a new option under Authentication Methods in Entra ID.
https://learn.microsoft.com/en-us/answers/questions/1103278/can-you-add-an-apple-passkey-security-key-to-a-non- I suspect the MS won't release support for Passkeys in Azure AD until such time as this is support in the Microsoft Authenticator Mobile App. LastPass and 1Password have announced support for Passkeys for my guess is MS will want to keep this in their ecosystem (which would also be my preference)
