Unlocking Passwordless Security: A Step-by-Step Guide to Configuring FIDO2 Security Keys with Microsoft Entra ID

 

FIDO2 Security Keys with Microsoft Entra ID
As organizations move towards stronger authentication methods, passkeys (FIDO2) are becoming increasingly popular. Microsoft Entra ID supports passkeys, allowing users to authenticate securely without relying on traditional passwords.

Good news is that Microsoft Entra ID now supports device-bound passkeys stored on FIDO2 security keys and Microsoft Authenticator. Microsoft is dedicated to enhancing security and is actively investing in both synced and device-bound passkeys for work accounts.

In this blog, I'll demonstrate how to configure FIDO2 security with Entra ID for passwordless user authentication. I'll be using the FEITIAN ePass K40 Security Key as an example to guide you through the process.

Prerequisites for Enabling Passkeys

Before enabling passkeys, ensure your organization has:
  • Microsoft Entra multifactor authentication enabled.
  • FIDO2 security keys that are compatible with your devices.
  • Supported devices running Windows 10, version 1903 or later, or other compatible operating systems.

Step-by-Step Guide to Enable Passkeys

1. Sign in to the Microsoft Entra admin center as an Global Administrator\Authentication Policy Administrator
2.Navigate to Protection > Authentication methods > Authentication method policy.
Entra ID Passkey(FIDO2) Authentication Method
3.Enable the Passkey(FIDO2) method by toggling it on. 

Entra ID Enable Passkey Authentication
4.Choose to apply this to All users or select specific security groups.
5.Select Configure to Make Additional Settings
Entra ID Passkey(FIDO2) Authentication Additional Settings
  •  For optimal configuration, keep "Allow self-service setup" set to Yes, ensuring users can register passkeys via MySecurityInfo
  • Set "Enforce attestation" to Yes to verify the legitimacy of FIDO2 security keys or passkey providers
  • If you need to restrict specific security key models, enable "Enforce key restrictions" and work with vendors to determine their AAGUID (Can find FIDO2 security key models ). Note that removing a previously allowed AAGUID will prevent users from signing in with those methods.

Note: 1.  For FIDO2 security keys, it's required that the security key metadata is published and verified through the FIDO Alliance Metadata Service and passes additional validation testing by Microsoft. For more details, refer to the guide on becoming a Microsoft-compatible FIDO2 security key vendor.
        2. For passkeys in Microsoft Authenticator, Microsoft don't currently support attestation.
        3. Attestation enforcement governs whether a passkey is allowed during registration only. Users who are able to register a passkey without attestation will not be blocked during sign-in if Enforce attestation is set to Yes at a later time.
        4.FIDO2 security keys eligible for attestation with Microsoft Entra ID can be found FIDO2 security key models .or view the authentication method details of the key per user.

I plan to write another blog that will focus on configuring and testing Microsoft Authenticator Passkeys.

6.Click Save Button to Save the Passkey configuration

User Passkey Registration

Now, let’s unbox the FEITIAN ePass K40 and connect it to the laptop via the USB Type-C port. This key is equipped with USB Type-C and NFC support, making it versatile and easy to use.
FEITIAN ePass K40

I connected the FEITIAN ePass K40 to my Windows 11 device to begin the setup.
FEITIAN K40 USB Type-C Connected
To register a passkey (FIDO2) as an authentication method, users should navigate to the My Account Page then go to My Security Info page in their browser.
M365 My Account Page


 From there, click on "Add sign-in method," select "Security Key," and then click "Add" to continue the process
Adding Security Key Sign-in Method in Entra ID Account

Sign in with multifactor authentication (MFA) before adding a passkey, then click Next.
Entra ID User Security Key, Setup MFA
Entra ID User MFA Prompt
Note: If you haven’t registered at least one MFA method, you’ll need to add one. Alternatively, an Authentication Policy Administrator can issue a Temporary Access Pass to allow a user to authenticate securely and register a Security Key.

A new security prompt will appear, asking you to choose the type of security key: USB device or NFC device. Since we’re currently connected via the USB port, proceed by selecting the USB option.
FIDO2 Security Key Type
After selecting the USB option, another prompt will appear asking you to connect the security key to the USB port and then click Next to proceed.
Passkey Setup Prompt
After clicking the Next button, a confirmation page will appear, guiding you to the Security Window to complete the remaining configuration steps.
Setting up your Passkey

In the Security Window, you’ll be prompted to select the location where you want to save your passkey. Since we've already connected our USB Security Key, choose the Security Key option to proceed.
Choose Where to Save Passkey
After confirming the passkey location, another security prompt will appear, displaying the user who initiated the request and the source of the request. To continue, press the OK button.
Security Key Setup
After confirming the Security Key setup prompt, another security prompt will appear, indicating that the Security Key is being configured. This message will keep you informed of the ongoing setup process. Press OK to Continue
Continue Security Key Setup

Next, you'll need to set up a PIN for your Security Key. You'll be prompted to either create a new PIN or enter an existing one. Then Press OK
Passkey PIN configuration
After that, perform the required gesture associated with your security key to complete the setup(In my case, simply touching the Security Key button on my ePass K40 to complete the setup).
Touch the Security Key
After your passkey is successfully saved, you'll see a confirmation page similar to the screenshot below. Press OK
FIDO2 Passkey Saved
After pressing the OK button, you can return to the Security Info page in your browser. You'll be prompted to assign a name to your newly added Security Key. Be sure to provide a meaningful name to easily differentiate this key from others. Press Next to Continue 
Security Key Name Configuration
Once you save the Security Key name, a confirmation message will appear to confirm the setup. Click "Done" to complete the process.
Security Key Setup Done

If you check the Security Info page, you'll see your current sign-in methods, including the Security Key name you assigned, the Security Key AAGUID, and the registration date. You can also delete any sign-in methods from this page if needed.
Entra ID User Sign-in Methods

Testing User Sign-in with a Security Key (FIDO2)

We will test the user sign-in process on portal.office.com using the Security Key we recently registered. 

We'll validate two scenarios: first, by entering the user ID and signing in with the Security Key, and second, by using the sign-in options from the Office login page.

To begin, open portal.office.com, enter the user ID, and you'll be prompted to select the Security Key and enter your PIN. 
The following screenshots illustrate the process flow.
Enter the User ID and Press Next
M365 Login Page
Security Window will be Prompted to choose the Security Key
Security Key Login Prompt

Choose Security Key and Press Next
Choose Security Key
Enter the Security Key PIN which we already configured for this Key and then press OK

Security Key PIN Prompt
Touch the Security for User Confirmation (Gesture)
Security Key Gesture
User successfully logged in using the Security Key.
M365 Portal Login Success

Now, let's test the user sign-in process without entering the User ID by using the M365 sign-in options.

Open portal.office.com and click on "Sign-in options" at the bottom of the page.
M365 Sign-in Options
On the next page, select the option for "Face, fingerprint, PIN, or security key."
Face, fingerprint, PIN, or security key Sign-in options
Upon selecting the security key option, a new Security Window will open, prompting you to choose your Security Key.
Security Key selection
Select the Security Key and Press Next

Sign in with your Security Key
Enter the Security Key PIN and Press OK
Security Key PIN
Touch and Confirm the User input
Security key User Gesture
User successfully signed in to the M365 Portal using the sign-in options with the Security Key.
M365 User Successful sign-in using Sign-in Options

Conclusion

In summary, setting up FIDO2 Security Keys with Microsoft Entra ID offers a secure and convenient passwordless authentication solution. By following the steps in this guide, you can enhance your organization’s security while reducing reliance on traditional passwords. Stay tuned for more updates on setting up Passkeys with Microsoft Authenticator!

Post a Comment

0 Comments