Reading Time: 8 minutes

In Part 1, I covered emergency account best practices and the benefits of FIDO2 supported passkeys. If you haven’t read the post, I highly recommend doing so to get a understanding of the foundational concepts and best practices that will enhance your overall security. It’s worth the read! You can check out part 1 by clicking the following link Part 1 – What is a FIDO2 key and How to Set One Up for Emergency Access in Entra ID | Cloud Build

In this blog post, I will guide you through the step by step process of configuring a YubiKey purchased from Yubico. As explained in part 1, the open standard technology used under the hood is FIDO2, which is also used by other vendors. It’s not only Yubico that provides these FIDO2 based security keys.

Now that you have had an overview of passkeys and how bad actors steal user credentials and session token, let’s continue to part 2, enabling my YubiKey (FIDO2) which I purchased from Yubico.

1. Access entra.microsoft.com
   
   
2. Click protection and authentication methods from the left pane

3. Click Passkey (FIDO2) which is set to disabled by default

4. Click the toggle to enable, click select groups and then browse and locate your security group in which your emergency break glass account is a member of. In my case, I have created a DemoGroup which includes the emergency break glass account.

5. Next, click Configure

6. There are several default configuration options. Let’s go through these one at a time.

Allow self-service setup
The default option is set to yes, which means users can self register a passkey by logging into the my sign-ins portal accessible via https://mysignins.microsoft.com/security-info. If set to No, users can’t register a passkey.

Note:
Currently in preview, administrators can use Microsoft Graph and custom clients to provision FIDO2 security keys on behalf of users. At the time of writing, there is no option to provision FIDO2 keys on behalf of users via the Azure or Entra portal, therefore, users have to enable this capability themselves via the my sign-ins portal I shared above.
Public preview: Microsoft Entra ID FIDO2 provisioning APIs

Enforce attestation
The next option is Enforce attestation.

When this option is set to Yes, Microsoft relies on the FIDO Alliance Metadata Service (MDS) to determine security key compatibility with Windows, Microsoft Edge browser, and online Microsoft accounts. The FIDO Alliance Metadata Service (MDS) is a centralised repository of the Metadata Statement that is used by the relying parties to validate authenticator attestation and prove the genuineness of the device model. Vendors such as Yubico report data to the FIDO MDS. Vendors are responsible to publish all root attestation certificates to the FIDO Alliance MDS; otherwise, attestation verification can fail. In simple terms, attestation involves performing a check against a central verification database to ensure the FIDO2 key being used is listed and verified in a central database.

Administrators can enforce which hardware security key providers are allowed in their environment. For example, an organisation may only allow particular models of YubiKey deny all other providers. YubiKeys are identified by a AAGUID which can be accessed at the following url, YubiKey Hardware FIDO2 AAGUIDs – Yubico

I purchased a security key NFC with firmware version 5.7. Accessing the link above, I’ll be able to locate the unique AAGUID for this model of device. If I enter the AAGuid into the configuration within EntraID, only this model of security key will be allowed in my organisation. I could add additional AAGUIDs if needed.

If you wish to use passkeys in Microsoft Authenticator, clicking the check box labelled Microsoft Authenticator automatically adds the two AAGUIDS for Apple and Android to the list, allowing you to use passkeys in the free Microsoft Authenticator app. If you wish to learn more, click the following Microsoft Learn link, How to enable passkeys in Microsoft Authenticator for Microsoft Entra ID

The images below show how an AAGUID is added and include the check box to enable passkeys in Microsoft Authenticator. I won’t be covering passkeys in the Microsoft Authenticator app but you can learn more at the link I posted above.

Ok, we’re done. The option to use PassKeys (FIDO2) is enabled.

---

The user experience

In the next steps, I will login using my emergency break glass account and enable the option for physical PassKeys.

1. Access https://mysignins.microsoft.com/security-info
2. I log in with my emergency break glass account
3. Click Add sign-in method

4. Click Security key

5. I am required to configure MFA before I can enable a security key. I click next.

6. Click Next again

7. I already have the Microsoft Authenticator App installed on my phone. I click next

8. I open the Authenticator app on my phone and scan the QR code provided

9. A two digit code appears on screen and a prompt on my Microsoft Authenticator App requesting I enter the two digit code. After entering the code, I receive a notification approved message.

10. Click Done

11. We can now attempt to add the security key again at My Sign-Ins | Security Info | Microsoft.com

12. I click add sign-in method and select Security Key again. This time I receive two options. I click USB device.

13. Click Next. If I had selected NFC in the step above, I would receive the message below. By selecting USB, the message would be similar but there would be no mention of “tap your security key on the reader”.

14. I am redirected to Windows Security. I select Security key and click Next

15. I click ok

16. Click ok. Notice the key will be locked down to login.microsoft.com. If a bad actor attempts a phishing attack and redirects the user to a fake url, the YubiKey will not allow access and authentication would fail.

17. I am prompted to insert my YubiKey into my laptop. Plug the physical key into the USB port depending on which USB device you purchased.

18. Once the YubiKey is detected, I am asked to create a new pin. This pin will be stored inside my YubiKey.

19. After creating a PIN, I am prompted to place my finger on the YubiKey and I receive a notification that the Passkey has been saved.

20. Name the Key, for example YubiKey 5 NFC, and click next.

21. We’re all set. Click done

22. The new YubiKey is now visible as one of my sign-in methods.

23. I remove the YubiKey from the USB port in my laptop.

• To test the YubiKey. I’ll access portal.microsoft.com
• Type my username
• Instead of entering a password, I click the option, Use your face, fingerprint, PIN, or security key instead
  

24. Select Security key and click next

25. I enter the pin I created earlier, and click OK

26. The YubiKey flashes and I am prompted to place my finger on the YubiKey. I’m in.

That’s it.

Enforcing users to use phishing resistant MFA
If you wish to enforce the use of phishing resistance MFA for certain or all users, you can use authentication strengths via conditional access policies in Entra ID.

A few points to note

1. Conditional Access requires Entra ID P1 licenses. It is not a free feature.
2. Attestation enforcement governs whether a passkey (FIDO2) is allowed only during registration. Users who register a passkey (FIDO2) without attestation aren’t blocked from sign-in if you were to enable the option enforce attestation later.
3. Enforce key restrictions should be set to Yes only if your organisation wants to allow or disallow certain security key models or passkey providers, which are identified by their AAGUID. You can work with your security key vendor to determine the AAGUID of the passkey or check the vendors website. If the passkey is already registered, you can find the AAGUID by viewing the authentication methods for the user in Entra ID by clicking authentication methods from the left pane. The AAGUID is also visible from the my sign-ins portal.
4. If your organisation doesn’t currently enforce key restrictions and already has active passkey usage, you could collect the AAGUIDs of the keys being used today. Add them to the allow list and enable enforce restrictions. This task can be completed with an automated script that analyses logs, such as registration details and sign-in logs.
5. Currently in preview, administrators can use Microsoft Graph and custom clients to provision FIDO2 security keys on behalf of users. At the time of writing, it was not possible to automatically provision the rollout of FIDO2 security keys to users from the portal.
   

I hope you found this two part blog series useful. Thank you for tuning in and catch you at the next post.