EN 
05.11.2024 Miriam WELCOME IN MY WORLD

This website is originally written in the Czech language. Only part of the content is machine (AI) translated into English. The translation may not be exact and may contain errors.

Tento článek si můžete zobrazit v originální české verzi. You can view this article in the original Czech version.
FIDO passkeys část 3 - použití přístupových klíčů v Microsoft Entra ID

FIDO passkeys part 3 - using passkeys in Microsoft Entra ID

Edited 25.04.2024 09:10 | created | Petr Bouška - Samuraj |
Microsoft is currently adding (perhaps better said, expanding) support for passkeys on its accounts, both for personal Microsoft accounts and work or school accounts in Entra ID. Let's look at the options for personal accounts, where usage is looser. We'll look more at corporate accounts that require device-bound passkeys. Additionally, on Android (since version 14) and iOS (since version 17) mobile devices, they can only be found in the Microsoft Authenticator app for now.
displayed: 1 846x (1 762 CZ, 84 EN) | Comments [0]

Note: In the first part of the series, we described passkeys in detail on a theoretical level. The previous part focused on practical use on the Windows and Android platforms. From the perspective of operating system and browser support for creating, storing, and using passkeys. We created passkeys for a Google account. In this part, we'll look at the options for Microsoft accounts, focusing more on Entra ID. Tests on Windows will be in the operating system with the greatest support, which is Windows 11 23H2.

Note: The article now describes the current state in my environment. A few days before publication, Microsoft completely updated the Microsoft Entra authentication documentation, which now describes the new work with passkeys quite well. However, the same things are described in various places (and sometimes contradictorily). A few days after the article was published, I managed to issue a passkey, so I supplemented the article. It's quite possible that there will be some more changes to the names.

Main chapters

From Windows Hello and FIDO2 security key to passkey

Old behavior and support

Microsoft has been supporting the use of Windows Hello for logging into accounts for some time, i.e., passkeys stored on Windows devices. Or Security Key, i.e., passkeys stored on a FIDO2 security key. These methods were collectively referred to as Sign in with Windows Hello or a security key. During login, Signing in with Windows Hello or security key was displayed.

Přihlášení do webové aplikace pomocí FIDO2 možnost 2

Changes and passkey support

In January 2024, the login dialogs were changed and now display the option Face, Fingerprint, PIN or security key (Use your device to sign in with passkey). During login, the text Signing in with a passkey is displayed. Overall, the term passkey is used in many dialogs. Both on the web and in the latest version of Windows 11.

Přihlášení pomocí passkey k Microsoft účtu bez zadání jména

The change occurs not only in names. Now there is an expansion of devices that we can use for login, i.e., where to store passkeys. In addition to existing Windows Hello (local computer) and security key (external hardware), mobile devices (external devices) are being added. Special support is being added to the Microsoft Authenticator app.

I think the added support for FIDO Cross-Device Authentication in Windows 11 23H2 is related. The operating system thus supports the use of iPhone, iPad or Android device, including device remembering (storing information in the system). In the dialog for external devices (another device), there was previously only a security key, now we can also use mobile devices (if we have functional Bluetooth). It depends on the service what passkeys (where stored) it allows to create. The limitation is currently in Entra ID.

New login options

For Microsoft Account, we can now create a passkey stored on a mobile device. All common options are supported (as we tested in the previous part), so the passkey can be synchronized and stored in, for example, Google Password Manager.

For Entra ID, support for passkeys on mobile devices in the Microsoft Authenticator application has been added. Thanks to this, a second option is added to the existing passwordless login (Passwordless Authentication) in the Microsoft Authenticator application, using Phone sign-in, which is also phishing-resistant.

If we want to log in on a computer (generally another device than where Microsoft Authenticator / passkey is), then the condition we described in previous parts applies. For FIDO Cross-Device Authentication, Bluetooth must be enabled (functional) on both devices. Another complication is that we need to set Authenticator as another provider for passkeys. This is supported only in the latest versions of Android 14 and iOS 17. And on Xiaomi phones, this option is apparently missing.

There's excitement on the internet that finally ordinary users will replace passwords and that passkeys in Microsoft Authenticator are great. I'm not quite so optimistic. It seems too complicated for ordinary users to me. From my experience, many users used the verification code in SMS, and I tried in vain to convince them that Phone Sign-in is not only more secure but also much more convenient.

Another problem I see is that workstations usually don't have Bluetooth. I've also often heard security recommendations to have Bluetooth turned off on laptops (although we use it all the time on mobile phones). Using a passkey in Microsoft Authenticator is suitable for logging in on a foreign computer (on my own, it's better to create a local passkey). There, the question is what the possibilities will be to use Bluetooth.

Personal Microsoft Account

We'll briefly look at the options for a personal Microsoft Account. The login process (and available methods) is quite similar to the case of a company account (Entra ID). Information about planned changes and the timeline is difficult to find.

The official guide Signing in with a passkey already describes new options that I initially didn't have available. But during my testing (a week before publishing the article), new options started to appear occasionally. And now I have them available all the time.

Adding and managing login or verification methods is done under Microsoft account - Security - Advanced Security Options.

Old options (original dialog)

In Advanced Security Options, we see the set login methods and can add new ones by selecting Add a new way to sign in or verify. Here are (were) the options Use your Window PC (Windows Hello) and Use a security key.

Microsoft Account starý dialog přidání přihlašovací metody

Interestingly, however, if we choose Use a security key. It doesn't matter whether we subsequently use a USB or NFC device. The Windows Security dialog for using an external authenticator is displayed, where there is also an option for mobile devices. This is probably related to the dialog change in Windows 11 23H2.

Microsoft Account možnosti při volbě Security key

New options with passkeys

During testing, a new dialog with the option Face, fingerprint, PIN, or security key also appeared under the link Add a new way to sign in or verify. If we use it, the Windows Security window is displayed, which offers internal and external authenticators.

Microsoft Account nový dialog přidání přihlášovací metody

The names in the list of set login methods have also changed. Instead of the original Use your Windows PC and Use a security key, only Use a passkey is displayed. It is therefore important to have labels for identification.

Microsoft Account - Advanced Security Options

Adding login using a passkey

The issuance and use of passkeys for This Windows Device (Windows Hello) or Security key works simply. The process is the same as described in the previous part.

If we can issue a passkey from Windows to an Android phone (see the described problems in the previous part), it will also work for a Microsoft account. Or we can issue directly through the browser on an Android device.

The process is again the same as described in the previous part. But the screen lock entry behaved differently, maybe it was some coincidence. A dialog was displayed (not for using a fingerprint) to enter the password (screen lock) from another phone. Then the passkey was created and saved to Google Password Manager. It is really visible there and synchronizes to other devices. Its use works locally, on another Android phone where it was synchronized, and remotely in Windows.

Microsoft Account vytvoření passkey na Android zařízení

Information about the new passkey

When we create a new passkey, we receive an informational email. If we have an account connected in the Microsoft Authenticator app, information is also displayed here.

Microsoft Authenticator informace o novém passkey

Microsoft Entra ID and work or school account

Microsoft published information about planned passkey support in MC718260 and MC690185 (not very extensively). When I was finishing the article, I accidentally found out that during the previous week, the complete official documentation Passkey (FIDO2) authentication was published. Also at that time, a number of articles appeared from people from Microsoft, MVPs and other experts.

The goal of the entire series was to get to the use of passkeys for accounts in Entra ID, i.e., work or school account. At the time of publication of the article, the deployment of passkeys support to Entra ID tenants is underway. According to the information, it was supposed to start in mid-March and be completed by mid-May. So far, it's a public preview, so significant changes may still occur.

It's important that within Entra ID, only device-bound passkeys are to be supported (for now). They can be stored on computers, security keys, or mobile devices. On mobile devices (Android and iOS), passkeys support is currently only in the Microsoft Authenticator app. And the latest OS version (Android 14 or iOS 17) is required.

In the new documentation, Microsoft states that it currently supports device-bound passkeys stored on FIDO2 security keys and in the Microsoft Authenticator app. It doesn't mention Windows Hello for Business here, so the situation may not change there, registration will need to be done from computer settings and we won't see it in My Security Info.

Note: I'm quite confused by the new documentation, where there's a description of the same areas under Passkey (FIDO2) authentication and under Microsoft Authenticator, but some information differs.

Enabling passkey (FIDO2) authentication in Entra ID

Microsoft states that we need to have Microsoft Entra MultiFactor Authentication (MFA) and in the case of Windows, at least Windows 10 1903 if they are Microsoft Entra Joined, or Windows 10 2004 for Microsoft Entra Hybrid Joined. Detailed information about support is in Support for FIDO2 authentication with Microsoft Entra ID.

The passkeys setting in Entra ID administration is associated with the FIDO2 security key setting (so far corresponds to the article Sign-in with FIDO2 security key and if we have security keys enabled, we also have passkeys, except that we must explicitly specify the AAGUID for Authenticator).

Microsoft in MC690185 stated that FIDO2 security key was to be renamed to Passkeys (FIDO2), but that apparently hasn't happened yet. Meanwhile, in the official documentation, images of both variants alternate.

Enabling FIDO2 security key

  • Microsoft Entra admin center - Protection - Authentication methods - Policies
  • select the FIDO2 security key method
  • enable and select either all users (All users) or only selected using Security Groups (Select groups)
  • save changes (Save)
Entra ID - Authentication methods - FIDO2 security key

Additional settings and key restrictions

In the message MC690185, there's additional information that seemed strange to me. At first, I thought it wasn't necessary, but more tests showed that without this setting, we can't issue a passkey (at least not directly in the Authenticator app). In the documentation Enable Authenticator passkey in the admin center, such a point is also mentioned.

The point is that to participate in the Passkeys (FIDO2) preview, we must enable Enforce key restrictions in the FIDO2 policy settings and list the allowed AAGUIDs including that for Microsoft Authenticator. The change in this setting takes effect after a longer time (estimated one hour). If it's not set, a passkey is not created during registration in the Authenticator app. In My Security Info, the creation of Passkey in Microsoft Authenticator (preview) is still offered.

Another thing is that Microsoft Authenticator doesn't yet support attestation (cryptographic verification of manufacturer and model using FIDO Alliance Metadata Service and MS testing). So for it to be registered, Enforce attestation must be turned off. If we turn off Enforce attestation, it's appropriate to use Enforce key restrictions for security and list only the allowed AAGUIDs.

Configuring FIDO2 policy

  • Microsoft Entra admin center - Protection - Authentication methods - Policies
  • select the FIDO2 security key method
  • switch to Configure
  • set Allow self-service set up to Yes, so users can register a passkey
  • set Enforce attestation to No (although it's recommended to use Yes)
  • set Enforce key restrictions to Yes along with Restrict specific keys Allow and list the AAGUIDs

Note: Authenticator Attestation Global Unique Identifier (AAGUID) is a unique identifier of the authenticator type. A certain product (manufacturer and model) with the same properties shares a common AAGUID. It may change with firmware version.

Entra ID - Authentication methods - FIDO2 security key - Configure

Determining used FIDO2 security keys AAGUIDs

If we want to restrict only certain security keys, it's good to find out which ones we use in the company so we don't block them. Certain information is in the MS documentation, and I found more in the article How to enable Microsoft Authenticator passkeys in Entra ID.

To allow the use of Microsoft Authenticator, we need to enter its AAGUID. A Microsoft Authenticator (preview) checkbox should appear here, which would simplify the situation, but I don't have it yet.

  • de1e552d-db1d-4423-a619-566b625cdc84 Microsoft Authenticator for Android
  • 90a3ccdf-635c-4729-a248-9b709135078f Microsoft Authenticator for iOS

We can find out the AAGUID for certain devices from the manufacturer, for example for YubiKey. If the device is registered to a user, we can see the AAGUID in the details of the authentication method under the user (Microsoft Entra Admin Center - Users - All users - select user - Authentication methods). The user can also see it for their keys in My Security Info.

But the easiest way is to use PowerShell and the Microsoft Graph module, where we can list all types (AAGUIDs) of registered FIDO2 keys.

Install-Module Microsoft.Graph
Connect-MgGraph -Scope AuditLog.Read.All,UserAuthenticationMethod.Read.All
((Get-MgReportAuthenticationMethodUserRegistrationDetail -Filter "methodsRegistered/any(i:i eq 'passKeyDeviceBound')" -All).Id |
 ForEach-Object { Get-MgUserAuthenticationFido2Method -UserId $_ -All }).AaGuid | Select-Object -Unique

d8522d9f-575b-4866-88a9-ba99fa02f35b
a4e9fc6d-4cbe-4758-b8ba-37598bb5bbaa
2fc0579f-8113-47ea-b116-bb5a8db9202a
d94a29d9-52dd-4247-9c2d-8b818b610389
b6ede29c-3772-412c-8a78-539c1f4c62d2

Alternatively, we can use the module from Fabian Bader GitHub - EntraIDPasskeyHelper, PowerShell Gallery - EntraIDPasskeyHelper. Another interesting script is Export FIDO2 registration info - Entra ID.

Overview of registered methods for users

We can take a comprehensive look at the registered authentication methods of users, where we can filter various types of passkeys.

  • Microsoft Entra admin center - Protection - Authentication methods - User registration details

For some time now (before deploying passkey support to the tenant), planned changes were visible here. In the Methods Registered filter, there are both existing items, such as

  • FIDO2 security key
  • Windows Hello for Business

and new ones

  • Passkey (Microsoft Authenticator)
  • Passkey (other device-bound)
  • Passkey (Windows Hello)
  • Platform Credential for MacOS
Entra ID - Authentication methods - User registration details filter

For users, FIDO2 security key has changed to Passkey (other device-bound). Windows Hello for Business remains, even though there's a Passkey (Windows Hello) item here.

For individual users, we can look at the registered authentication methods in the details of their account.

  • Microsoft Entra Admin Center - Users - All users - select user - Authentication methods
Entra ID - User Authentication methods

Note: It looks quite confusing that a different name is used in each place. For the user, the passkey in the Authenticator app is labeled as FIDO2 security key. In User registration details, it's Passkey (Microsoft Authenticator). And in My Security Info, it's labeled Microsoft Authenticator.

User settings for passkeys in Entra ID

Registering passkeys

Users manage their authentication methods within their account My Account under Security Info. Here is the option to add (register) a new method. Previously, there was an option to add a Security key (and other old methods). After deploying passkeys to the Tenant, Passkey in Microsoft Authenticator (preview) appeared (this happened to me a few days ago). By the end of the year, the Security key option is to be removed.

Note: The original announcement mentioned the item Passkey (preview). In some parts of the official documentation, they refer to Passkey in Microsoft Authenticator (preview), elsewhere to Passkey (preview), and in some places, they have both.

Microsoft My Security Info - Add a method (passkey)

It's not possible to create a passkey for Windows devices, i.e., in Windows Hello for Business, from this location. This is done from Windows settings, and registered devices are not visible in this list. An Entra ID administrator can view them among the user's authentication methods (they can't see their own).

Note: A small side note. Even on a personal computer that is registered in Entra ID, activating Windows Hello created a passkey for my Entra ID account.

Just like with a personal Microsoft account, when registering a Security key, a Windows Security dialog opens, allowing you to save the passkey on a mobile device as well. This option was offered even before passkey support was deployed to the tenant. The entire process goes through, the passkey is likely created on the phone, but saving in Entra ID fails.

Microsoft My Security Info - registrace passkey s chybou

The passkey in My Security Info is marked with a passkey icon and the text Microsoft Authenticator. If we created it here, we provided a name. If we registered it in the Microsoft Authenticator app on Android, it's named MS Authenticator - Android.

Microsoft My Security Info a passkey

Requirements for Microsoft Authenticator

To use passkeys in the Microsoft Authenticator app, we need at least version 6.2404.2229 on Android or 6.8.7 on iOS. Microsoft also states that Android 14 or iOS 17 is required at minimum because these operating systems contain APIs for Authenticator to function as a passkey provider.

To use Microsoft Authenticator as a passkey provider, we must set it up in the OS.

The setup for Android should be:

  • open Settings app
  • Passwords & Accounts
  • enable Authenticator in the Additional providers section
Android - Settings - Passwords & Accounts

Note: On my Xiaomi 13 (possibly on Xiaomi phones in general), the Passwords & Accounts setting doesn't exist at all, and I haven't found an alternative way to perform this setup. So, it's not possible to use the Microsoft Authenticator app for passkey login. I've tested on Android Emulator and Samsung Galaxy S23.

Setup for iOS:

  • open the Settings app
  • open Passwords and select Password Options
  • Autofill Passwords and Passkeys must be turned on
  • in the Use Passwords and Passkeys From section, enable Authenticator
iPhone - Settings - Password Options

Direct passkey registration in the Microsoft Authenticator app

The simplest method is creating a passkey directly on an Android or iOS device in the Microsoft Authenticator app.

  • click the + button to add an account (it doesn't matter if you already have it in the app)
  • choose Work or school account and Sign in
  • sign in using MFA
  • you can skip device registration (which is necessary for Phone sign-in)
  • information will appear that you need to adjust settings for Authenticator to manage passkeys (there's also a link to settings, which doesn't work on my phone)
  • all allowed authentication methods are set up (when I published the article, the passkey wasn't being created yet, this apparently changed on April 22)
  • in the account details, we can see that the passkey is created and we can view its details
Microsoft Authenticator - Add account pro regisraci passkey 1
Microsoft Authenticator - Add account pro regisraci passkey 2

If we try to create a passkey on an older Android version, we'll get information that it's not possible. This is unfortunate, as the limitation is apparently due to Android 14 being the first to support setting Additional passkey providers. It seems we can bypass this setting for login. In the passkey details in the Authenticator app, there's an icon in the bottom right corner that scans a QR code. The question is whether it will automatically use the passkey in MS Authenticator or the system provider.

Microsoft Authenticator - Add account pro registraci passkey 3

Registering a passkey from Windows to the Microsoft Authenticator app

We can register a passkey in the Microsoft Authenticator app from a browser on a computer (thanks to FIDO Cross-Device Authentication). And similarly use it for login.

  • open the My Security info page
  • click on Add sign-in method
  • choose Passkey in Microsoft Authenticator (preview) and Add
  • sign in using MFA

The first part takes place in the browser. We get information about the conditions, choose Android or iOS/iPadOS. We are instructed that we must set Microsoft Authenticator as an additional provider and after scanning the QR code, select Save another way.

Microsoft My Security Info - Add Passkey in Microsoft Authenticator

After confirmation, the classic Windows Security dialog opens, offering external authenticators. So, for example, on a computer without Bluetooth, it will only offer a Security key, even though we're trying to register Microsoft Authenticator on the phone. The process in Windows is similar to what we described last time in Creating an external passkey on an Android device.

Windows vytvoření passkey na iPhone nebo Android

The choice differs when creating a passkey on the phone, where it's necessary to choose / switch to Microsoft Authenticator, which we must have enabled as an additional provider.

On an iOS device (iPhone), we scan the QR code and directly choose Authenticator in the system dialog.

Windows vytvoření passkey v aplikaci Microsoft Authenticator

On an Android device, we similarly scan the QR code. The system dialog may look different depending on the manufacturer. We must switch from the default Google Password Manager using the Save another way option and select Microsoft Authenticator.

Windows vytvoření passkey v aplikaci Microsoft Authenticator Android

Instead of scanning the QR code in the system Camera app, it would seem logical to use the scanning directly in the Microsoft Authenticator app (add account, Scan a QR code). However, this is not possible at the moment (although I've seen screenshots where it was functional). It appears that MS states it should work Can I use Authenticator app camera to scan the WebAuthn QR code for registration and authentication. After a few days, this option was working, but the passkey was issued to the phone (not to the Microsoft Authenticator app, which wasn't set as a passkey provider), so non-functional.

Microsoft Authenticator - QR code not supported

Registering a passkey on a mobile device

Another option for registering a passkey is using a browser directly on a mobile device (of course, it must be saved to Microsoft Authenticator). In the documentation, Microsoft states that this is currently possible for iOS, but not supported for Android. However, it appears functional in Google Chrome. A system dialog opens, which looks the same as after scanning a QR code. We can choose to create a passkey in Microsoft Authenticator. I only tried this in an Android emulator, where the creation failed.

Possibility of logging into Windows using a passkey

FIDO authentication, and thus passkeys, is based on the W3C WebAuthn standard. This is intended for logging into web applications and services. Primarily through a browser, or potentially an application. It follows that it's not intended for logging into the operating system.

Microsoft has been supporting the use of Windows Hello for Business or FIDO2 security key for logging into Windows for some time. It can primarily work in a corporate environment where the computer is (hybridly) joined to Entra ID. This way, we can log in simultaneously to the operating system, Entra ID, and potentially also local AD.

Previously, the possibility of logging into Windows using the Microsoft Authenticator app and, for example, Phone sign-in was often discussed. This is probably not possible (although according to some information it's available with a personal Microsoft account and Windows 10/11), just as it's not possible to use a passkey in Microsoft Authenticator.

Author:

Related articles:

Azure AD / Entra ID identity and authentication

Articles related to user and device identity (not only) in Microsoft Entra ID. Different login and authentication options. Areas such as modern authentication, multi-factor authentication, password-less login, etc. Often involving the use of FIDO Authentication, for example using the FIDO2 security key or Windows Hello for Business.

FIDO Authentication

FIDO authentication is based on the FIDO2 standard (WebAuthn and CTAP2). It brings a more secure option to log in to online services. It belongs to Passwordless MFA (multi-factor authentication without a password). At the same time, it increases the convenience of users (it supports the use of biometrics). These are, for example, Windows Hello for Business, FIDO2 security key and generally passkeys (access keys).

If you want write something about this article use comments.

Comments

There are no comments yet.

Add comment

Insert tag: strong em link

Help:
  • maximum length of comment is 2000 characters
  • HTML tags are not allowed (they will be removed), you can use only the special tags listed above the input field
  • new line (ENTER) ends paragraph and start new one
  • when you respond to a comment, put the original comment number in squar brackets at the beginning of the paragraph (line)