Microsoft has come out with support for device-bound passkeys in Microsoft Authenticator as a method of Microsoft Entra ID authentication. Microsoft Authenticator is the only allowed software passkey at the time of writing this article. And only device-bound passkeys are allowed.

However, Microsoft is considering adding additional software passkeys that potentially don’t even need to be device-bound and could therefore be synchronized between multiple devices. However, this is still only a considered option in the current phase, and it is uncertain how/when/if this will ultimately play out in the future.

Only device-bound passkeys in Microsoft Authenticator are allowed at the time of writing this article.

This method is in General Availability at the time of writing this article, so it is ready to be deployed in production environments.

Enable passkey authentication method in Microsoft Entra ID

Open Microsoft Entra admin center and go to Protection – Authentication methods. Under Policies, open Passkey (FIDO2) and enable this method for all users or selected user groups. This enables the use of FIDO2 including passkeys within Microsoft Authenticator for the selected users.

Configure passkey authentication in Microsoft Entra ID

Microsoft Authenticator already supports attestation for passkeys, so you can already start requiring attestation and passkeys will work in Microsoft Authenticator.

However, at this time you still need to set key restrictions and explicitly enable AAGUIDs for Microsoft Authenticator for Android and iOS. Without key restrictions, automatic passkey registration will not be performed when logging in within the Microsoft Authenticator app. This will change in January 2025 – from then on, key restrictions will no longer be needed.

So switch to the Configure tab.

You can just check that checkbox for Microsoft Authenticator (Preview) to enable the use of passkeys in the Microsoft Authenticator app for both Android and iOS. You can also manually add the AAGUIDs for Microsoft Authenticator on Android and iOS.

  • Microsoft Authenticator for Android: de1e552d-db1d-4423-a619-566b625cdc84
  • Microsoft Authenticator for iOS: 90a3ccdf-635c-4729-a248-9b709135078f

Get list of all FIDO2 keys used in the tenant

When you set restrictions via AAGUID above, you need to think about other FIDO2 devices used in the organization. If you allow only Microsoft Authenticator as mentioned above, all other FIDO2 devices would stop working. Even those already in use.

Therefore, it is important to add AAGUID of all other FIDO2 devices as well, if they are used in the organization. Ideally, you should add all the AAGUIDs of the models that you generally know are used in the organization. Check the manufacturer’s website or contact their support. For example, you can find AAGUIDs for Yubikey here.

It is also a good idea to list all the AAGUIDs that your users have already registered. You can do this easily via Microsoft Graph PowerShell.

How to get list of all FIDO2 keys registered in Microsoft Entra ID via PowerShell

First we need the Microsoft Graph PowerShell module installed.

Install-Module Microsoft.Graph

When we have the Microsoft Graph module installed, we can connect to Microsoft Graph. We need AuditLog.Read.All and UserAuthenticationMethod.Read.All permissions, so we add this to the scope.

Connect-MgGraph -Scope AuditLog.Read.All,UserAuthenticationMethod.Read.All

After sucessfull authentication, you can get all FIDO2 keys registered for all of your users via the following command (credit goes to Nathan McNulty).

((Get-MgReportAuthenticationMethodUserRegistrationDetail -Filter "methodsRegistered/any(i:i eq 'passKeyDeviceBound')" -All).Id | ForEach-Object { Get-MgUserAuthenticationFido2Method -UserId $_ -All }).AaGuid | Select-Object -Unique

Now just make sure that the registered FIDO2 AAGUIDs are also on the allow list mentioned above.

Alternatively, you can use EntraIDPasskeyHelper PowerShell module prepared by Fabian Bader.

Install-Module EntraIDPasskeyHelper -Scope CurrentUser

Connect-MgGraph -Scopes "AuditLog.Read.All", "Policy.ReadWrite.AuthenticationMethod", "User.Read.All", "UserAuthenticationMethod.Read.All" -NoWelcome

Get-PasskeyDeviceBoundAAGUID | Set-PasskeyAuthenticationMethodsPolicy -MicrosoftAAGUIDsAllowed 'All' -EnforceAttestation $true -Verbose

The code above will take all AAGUIDs currently used in the environment and set them as allowed in key restrictions. It also enforces attestation and adds the two AAGUIDs of Microsoft Authenticator for iOS and Android.

How to register passkeys in Microsoft Authenticator

Registering passkeys in Microsoft Authenticator is pretty straighforward. You can either sign-in with your work or school account directly in the Microsoft Authenticator app which then automatically adds all enabled authentication options including passkeys.

Or you can go to https://aka.ms/setupsecurityinfo and add a new method from there.