Note: In the first part of the series, we described passkeys in detail on a theoretical level. The previous part focused on practical use on the Windows and Android platforms. From the perspective of operating system and browser support for creating, storing, and using passkeys. We created passkeys for a Google account. In this part, we'll look at the options for Microsoft accounts, focusing more on Entra ID. Tests on Windows will be in the operating system with the greatest support, which is Windows 11 23H2.
Note: The article now describes the current state in my environment. A few days before publication, Microsoft completely updated the Microsoft Entra authentication documentation, which now describes the new work with passkeys quite well. However, the same things are described in various places (and sometimes contradictorily). A few days after the article was published, I managed to issue a passkey, so I supplemented the article. It's quite possible that there will be some more changes to the names.
Main chapters
- Personal Microsoft Account
- Microsoft Entra ID and work or school account
- User settings for passkeys in Entra ID
From Windows Hello and FIDO2 security key to passkey
Old behavior and support
Microsoft has been supporting the use of Windows Hello for logging into accounts for some time, i.e., passkeys stored on Windows devices. Or Security Key, i.e., passkeys stored on a FIDO2 security key. These methods were collectively referred to as Sign in with Windows Hello or a security key
. During login, Signing in with Windows Hello or security key was displayed.
Changes and passkey support
In January 2024, the login dialogs were changed and now display the option Face, Fingerprint, PIN or security key
(Use your device to sign in with passkey). During login, the text Signing in with a passkey is displayed. Overall, the term passkey is used in many dialogs. Both on the web and in the latest version of Windows 11.
The change occurs not only in names. Now there is an expansion of devices that we can use for login, i.e., where to store passkeys. In addition to existing Windows Hello (local computer) and security key (external hardware), mobile devices (external devices) are being added. Special support is being added to the Microsoft Authenticator app.
I think the added support for FIDO Cross-Device Authentication in Windows 11 23H2 is related. The operating system thus supports the use of iPhone, iPad or Android device
, including device remembering (storing information in the system). In the dialog for external devices (another device), there was previously only a security key, now we can also use mobile devices (if we have functional Bluetooth). It depends on the service what passkeys (where stored) it allows to create. The limitation is currently in Entra ID.
New login options
For Microsoft Account, we can now create a passkey stored on a mobile device. All common options are supported (as we tested in the previous part), so the passkey can be synchronized and stored in, for example, Google Password Manager.
For Entra ID, support for passkeys on mobile devices in the Microsoft Authenticator application has been added. Thanks to this, a second option is added to the existing passwordless login (Passwordless Authentication) in the Microsoft Authenticator application, using Phone sign-in, which is also phishing-resistant.
If we want to log in on a computer (generally another device than where Microsoft Authenticator / passkey is), then the condition we described in previous parts applies. For FIDO Cross-Device Authentication, Bluetooth must be enabled (functional) on both devices. Another complication is that we need to set Authenticator as another provider for passkeys. This is supported only in the latest versions of Android 14 and iOS 17. And on Xiaomi phones, this option is apparently missing.
There's excitement on the internet that finally ordinary users will replace passwords and that passkeys in Microsoft Authenticator are great. I'm not quite so optimistic. It seems too complicated for ordinary users to me. From my experience, many users used the verification code in SMS, and I tried in vain to convince them that Phone Sign-in is not only more secure but also much more convenient.
Another problem I see is that workstations usually don't have Bluetooth. I've also often heard security recommendations to have Bluetooth turned off on laptops (although we use it all the time on mobile phones). Using a passkey in Microsoft Authenticator is suitable for logging in on a foreign computer (on my own, it's better to create a local passkey). There, the question is what the possibilities will be to use Bluetooth.
Personal Microsoft Account
We'll briefly look at the options for a personal Microsoft Account. The login process (and available methods) is quite similar to the case of a company account (Entra ID). Information about planned changes and the timeline is difficult to find.
The official guide Signing in with a passkey already describes new options that I initially didn't have available. But during my testing (a week before publishing the article), new options started to appear occasionally. And now I have them available all the time.
Adding and managing login or verification methods is done under Microsoft account - Security - Advanced Security Options.
Old options (original dialog)
In Advanced Security Options, we see the set login methods and can add new ones by selecting Add a new way to sign in or verify. Here are (were) the options Use your Window PC (Windows Hello) and Use a security key.
Interestingly, however, if we choose Use a security key. It doesn't matter whether we subsequently use a USB or NFC device. The Windows Security dialog for using an external authenticator is displayed, where there is also an option for mobile devices. This is probably related to the dialog change in Windows 11 23H2.
New options with passkeys
During testing, a new dialog with the option Face, fingerprint, PIN, or security key also appeared under the link Add a new way to sign in or verify. If we use it, the Windows Security window is displayed, which offers internal and external authenticators.
The names in the list of set login methods have also changed. Instead of the original Use your Windows PC and Use a security key, only Use a passkey is displayed. It is therefore important to have labels for identification.
Adding login using a passkey
The issuance and use of passkeys for This Windows Device (Windows Hello) or Security key works simply. The process is the same as described in the previous part.
If we can issue a passkey from Windows to an Android phone (see the described problems in the previous part), it will also work for a Microsoft account. Or we can issue directly through the browser on an Android device.
The process is again the same as described in the previous part. But the screen lock entry behaved differently, maybe it was some coincidence. A dialog was displayed (not for using a fingerprint) to enter the password (screen lock) from another phone. Then the passkey was created and saved to Google Password Manager. It is really visible there and synchronizes to other devices. Its use works locally, on another Android phone where it was synchronized, and remotely in Windows.
Information about the new passkey
When we create a new passkey, we receive an informational email. If we have an account connected in the Microsoft Authenticator app, information is also displayed here.
Microsoft Entra ID and work or school account
- Enable passkeys for your organization (preview)
- Enable Microsoft Authenticator passkey sign in (preview)
- MC718260 - Microsoft Entra ID: Authentication strength improvements to support passkeys
- MC690185 - Prepare for device-bound passkeys in Microsoft Entra ID (changes to FIDO2 and Windows Hello for Business)
Microsoft published information about planned passkey support in MC718260 and MC690185 (not very extensively). When I was finishing the article, I accidentally found out that during the previous week, the complete official documentation Passkey (FIDO2) authentication was published. Also at that time, a number of articles appeared from people from Microsoft, MVPs and other experts.
The goal of the entire series was to get to the use of passkeys for accounts in Entra ID, i.e., work or school account. At the time of publication of the article, the deployment of passkeys support to Entra ID tenants is underway. According to the information, it was supposed to start in mid-March and be completed by mid-May. So far, it's a public preview, so significant changes may still occur.
It's important that within Entra ID, only device-bound passkeys are to be supported (for now). They can be stored on computers, security keys, or mobile devices. On mobile devices (Android and iOS), passkeys support is currently only in the Microsoft Authenticator app. And the latest OS version (Android 14 or iOS 17) is required.
In the new documentation, Microsoft states that it currently supports device-bound passkeys stored on FIDO2 security keys and in the Microsoft Authenticator app. It doesn't mention Windows Hello for Business here, so the situation may not change there, registration will need to be done from computer settings and we won't see it in My Security Info.
Note: I'm quite confused by the new documentation, where there's a description of the same areas under Passkey (FIDO2) authentication and under Microsoft Authenticator, but some information differs.
Enabling passkey (FIDO2) authentication in Entra ID
Microsoft states that we need to have Microsoft Entra MultiFactor Authentication (MFA) and in the case of Windows, at least Windows 10 1903 if they are Microsoft Entra Joined, or Windows 10 2004 for Microsoft Entra Hybrid Joined. Detailed information about support is in Support for FIDO2 authentication with Microsoft Entra ID.
The passkeys setting in Entra ID administration is associated with the FIDO2 security key setting (so far corresponds to the article Sign-in with FIDO2 security key and if we have security keys enabled, we also have passkeys, except that we must explicitly specify the AAGUID for Authenticator).
Microsoft in MC690185 stated that FIDO2 security key was to be renamed to Passkeys (FIDO2), but that apparently hasn't happened yet. Meanwhile, in the official documentation, images of both variants alternate.
Enabling FIDO2 security key
- Microsoft Entra admin center - Protection - Authentication methods - Policies
- select the FIDO2 security key method
- enable and select either all users (All users) or only selected using Security Groups (Select groups)
- save changes (Save)
Additional settings and key restrictions
In the message MC690185, there's additional information that seemed strange to me. At first, I thought it wasn't necessary, but more tests showed that without this setting, we can't issue a passkey (at least not directly in the Authenticator app). In the documentation Enable Authenticator passkey in the admin center, such a point is also mentioned.
The point is that to participate in the Passkeys (FIDO2) preview, we must enable Enforce key restrictions
in the FIDO2 policy settings and list the allowed AAGUIDs including that for Microsoft Authenticator. The change in this setting takes effect after a longer time (estimated one hour). If it's not set, a passkey is not created during registration in the Authenticator app. In My Security Info, the creation of Passkey in Microsoft Authenticator (preview) is still offered.
Another thing is that Microsoft Authenticator doesn't yet support attestation (cryptographic verification of manufacturer and model using FIDO Alliance Metadata Service and MS testing). So for it to be registered, Enforce attestation
must be turned off. If we turn off Enforce attestation, it's appropriate to use Enforce key restrictions for security and list only the allowed AAGUIDs.
Configuring FIDO2 policy
- Microsoft Entra admin center - Protection - Authentication methods - Policies
- select the FIDO2 security key method
- switch to Configure
- set
Allow self-service set up
to Yes, so users can register a passkey - set
Enforce attestation
to No (although it's recommended to use Yes) - set
Enforce key restrictions
to Yes along withRestrict specific keys Allow
and list the AAGUIDs
Note: Authenticator Attestation Global Unique Identifier (AAGUID) is a unique identifier of the authenticator type. A certain product (manufacturer and model) with the same properties shares a common AAGUID. It may change with firmware version.
Determining used FIDO2 security keys AAGUIDs
If we want to restrict only certain security keys, it's good to find out which ones we use in the company so we don't block them. Certain information is in the MS documentation, and I found more in the article How to enable Microsoft Authenticator passkeys in Entra ID.
To allow the use of Microsoft Authenticator, we need to enter its AAGUID. A Microsoft Authenticator (preview) checkbox should appear here, which would simplify the situation, but I don't have it yet.
de1e552d-db1d-4423-a619-566b625cdc84
Microsoft Authenticator for Android90a3ccdf-635c-4729-a248-9b709135078f
Microsoft Authenticator for iOS
We can find out the AAGUID for certain devices from the manufacturer, for example for YubiKey. If the device is registered to a user, we can see the AAGUID in the details of the authentication method under the user (Microsoft Entra Admin Center - Users - All users - select user - Authentication methods). The user can also see it for their keys in My Security Info.
But the easiest way is to use PowerShell and the Microsoft Graph module, where we can list all types (AAGUIDs) of registered FIDO2 keys.
Install-Module Microsoft.Graph Connect-MgGraph -Scope AuditLog.Read.All,UserAuthenticationMethod.Read.All ((Get-MgReportAuthenticationMethodUserRegistrationDetail -Filter "methodsRegistered/any(i:i eq 'passKeyDeviceBound')" -All).Id | ForEach-Object { Get-MgUserAuthenticationFido2Method -UserId $_ -All }).AaGuid | Select-Object -Unique d8522d9f-575b-4866-88a9-ba99fa02f35b a4e9fc6d-4cbe-4758-b8ba-37598bb5bbaa 2fc0579f-8113-47ea-b116-bb5a8db9202a d94a29d9-52dd-4247-9c2d-8b818b610389 b6ede29c-3772-412c-8a78-539c1f4c62d2
Alternatively, we can use the module from Fabian Bader GitHub - EntraIDPasskeyHelper, PowerShell Gallery - EntraIDPasskeyHelper. Another interesting script is Export FIDO2 registration info - Entra ID.
Overview of registered methods for users
We can take a comprehensive look at the registered authentication methods of users, where we can filter various types of passkeys.
- Microsoft Entra admin center - Protection - Authentication methods - User registration details
For some time now (before deploying passkey support to the tenant), planned changes were visible here. In the Methods Registered filter, there are both existing items, such as
- FIDO2 security key
- Windows Hello for Business
and new ones
- Passkey (Microsoft Authenticator)
- Passkey (other device-bound)
- Passkey (Windows Hello)
- Platform Credential for MacOS
For users, FIDO2 security key has changed to Passkey (other device-bound). Windows Hello for Business remains, even though there's a Passkey (Windows Hello) item here.
For individual users, we can look at the registered authentication methods in the details of their account.
- Microsoft Entra Admin Center - Users - All users - select user - Authentication methods
Note: It looks quite confusing that a different name is used in each place. For the user, the passkey in the Authenticator app is labeled as FIDO2 security key. In User registration details, it's Passkey (Microsoft Authenticator). And in My Security Info, it's labeled Microsoft Authenticator.
User settings for passkeys in Entra ID
Registering passkeys
Users manage their authentication methods within their account My Account under Security Info. Here is the option to add (register) a new method. Previously, there was an option to add a Security key (and other old methods). After deploying passkeys to the Tenant, Passkey in Microsoft Authenticator (preview)
appeared (this happened to me a few days ago). By the end of the year, the Security key option is to be removed.
Note: The original announcement mentioned the item Passkey (preview). In some parts of the official documentation, they refer to Passkey in Microsoft Authenticator (preview), elsewhere to Passkey (preview), and in some places, they have both.
It's not possible to create a passkey for Windows devices, i.e., in Windows Hello for Business, from this location. This is done from Windows settings, and registered devices are not visible in this list. An Entra ID administrator can view them among the user's authentication methods (they can't see their own).
Note: A small side note. Even on a personal computer that is registered in Entra ID, activating Windows Hello created a passkey for my Entra ID account.
Just like with a personal Microsoft account, when registering a Security key, a Windows Security dialog opens, allowing you to save the passkey on a mobile device as well. This option was offered even before passkey support was deployed to the tenant. The entire process goes through, the passkey is likely created on the phone, but saving in Entra ID fails.
The passkey in My Security Info is marked with a passkey icon and the text Microsoft Authenticator. If we created it here, we provided a name. If we registered it in the Microsoft Authenticator app on Android, it's named MS Authenticator - Android.
Requirements for Microsoft Authenticator
To use passkeys in the Microsoft Authenticator app, we need at least version 6.2404.2229 on Android or 6.8.7 on iOS. Microsoft also states that Android 14 or iOS 17 is required at minimum because these operating systems contain APIs for Authenticator to function as a passkey provider.
To use Microsoft Authenticator as a passkey provider, we must set it up in the OS.
The setup for Android should be:
- open Settings app
- Passwords & Accounts
- enable Authenticator in the Additional providers section
Note: On my Xiaomi 13 (possibly on Xiaomi phones in general), the Passwords & Accounts setting doesn't exist at all, and I haven't found an alternative way to perform this setup. So, it's not possible to use the Microsoft Authenticator app for passkey login. I've tested on Android Emulator and Samsung Galaxy S23.
Setup for iOS:
- open the Settings app
- open Passwords and select Password Options
- Autofill Passwords and Passkeys must be turned on
- in the Use Passwords and Passkeys From section, enable Authenticator
Direct passkey registration in the Microsoft Authenticator app
The simplest method is creating a passkey directly on an Android or iOS device in the Microsoft Authenticator app.
- click the + button to add an account (it doesn't matter if you already have it in the app)
- choose Work or school account and Sign in
- sign in using MFA
- you can skip device registration (which is necessary for Phone sign-in)
- information will appear that you need to adjust settings for Authenticator to manage passkeys (there's also a link to settings, which doesn't work on my phone)
- all allowed authentication methods are set up (when I published the article, the passkey wasn't being created yet, this apparently changed on April 22)
- in the account details, we can see that the passkey is created and we can view its details
If we try to create a passkey on an older Android version, we'll get information that it's not possible. This is unfortunate, as the limitation is apparently due to Android 14 being the first to support setting Additional passkey providers. It seems we can bypass this setting for login. In the passkey details in the Authenticator app, there's an icon in the bottom right corner that scans a QR code. The question is whether it will automatically use the passkey in MS Authenticator or the system provider.
Registering a passkey from Windows to the Microsoft Authenticator app
We can register a passkey in the Microsoft Authenticator app from a browser on a computer (thanks to FIDO Cross-Device Authentication). And similarly use it for login.
- open the My Security info page
- click on Add sign-in method
- choose Passkey in Microsoft Authenticator (preview) and Add
- sign in using MFA
The first part takes place in the browser. We get information about the conditions, choose Android or iOS/iPadOS. We are instructed that we must set Microsoft Authenticator as an additional provider and after scanning the QR code, select Save another way.
After confirmation, the classic Windows Security dialog opens, offering external authenticators. So, for example, on a computer without Bluetooth, it will only offer a Security key, even though we're trying to register Microsoft Authenticator on the phone. The process in Windows is similar to what we described last time in Creating an external passkey on an Android device.
The choice differs when creating a passkey on the phone, where it's necessary to choose / switch to Microsoft Authenticator, which we must have enabled as an additional provider.
On an iOS device (iPhone), we scan the QR code and directly choose Authenticator in the system dialog.
On an Android device, we similarly scan the QR code. The system dialog may look different depending on the manufacturer. We must switch from the default Google Password Manager using the Save another way option and select Microsoft Authenticator.
Instead of scanning the QR code in the system Camera app, it would seem logical to use the scanning directly in the Microsoft Authenticator app (add account, Scan a QR code). However, this is not possible at the moment (although I've seen screenshots where it was functional). It appears that MS states it should work Can I use Authenticator app camera to scan the WebAuthn QR code for registration and authentication. After a few days, this option was working, but the passkey was issued to the phone (not to the Microsoft Authenticator app, which wasn't set as a passkey provider), so non-functional.
Registering a passkey on a mobile device
- Register passkeys in Authenticator on Android or iOS devices (preview)
- Register a passkey using a mobile device (preview)
Another option for registering a passkey is using a browser directly on a mobile device (of course, it must be saved to Microsoft Authenticator). In the documentation, Microsoft states that this is currently possible for iOS, but not supported for Android. However, it appears functional in Google Chrome. A system dialog opens, which looks the same as after scanning a QR code. We can choose to create a passkey in Microsoft Authenticator. I only tried this in an Android emulator, where the creation failed.
Possibility of logging into Windows using a passkey
FIDO authentication, and thus passkeys, is based on the W3C WebAuthn standard. This is intended for logging into web applications and services. Primarily through a browser, or potentially an application. It follows that it's not intended for logging into the operating system.
Microsoft has been supporting the use of Windows Hello for Business or FIDO2 security key for logging into Windows for some time. It can primarily work in a corporate environment where the computer is (hybridly) joined to Entra ID. This way, we can log in simultaneously to the operating system, Entra ID, and potentially also local AD.
Previously, the possibility of logging into Windows using the Microsoft Authenticator app and, for example, Phone sign-in was often discussed. This is probably not possible (although according to some information it's available with a personal Microsoft account and Windows 10/11), just as it's not possible to use a passkey in Microsoft Authenticator.
There are no comments yet.