How to use Passkeys in Microsoft Authenticator for Microsoft Entra ID

A strong password doesn’t exist, which is why Microsoft is determined to move to a passwordless future. To make the adoption of passwordless authentication even easier, they have now added support for device-bound passkeys stored in Microsoft Authenticator.

Passwordless authentication was already possible in Microsoft Entra ID but required a FIDO2-compliant security key or Windows Hello for Business. But Passkeys in Microsoft Authenticator will make the adoption a lot easier.

In this article, I will explain how to enable Microsoft Authenticator Passkeys in your tenant and how to use them.

What are Passkeys

Before we look at how to set up and use Passkeys in Microsoft Authenticator, let’s first explain what Passkeys are and why they are safer to use than passwords.

As we all know by now, a (strong) password alone isn’t safe to use anymore. That is why it’s recommended to use MFA where possible. However as more users have adopted MFA, attackers have changed their methods as well. They use man-in-middle attacks or social engineering to trick users into approving MFA requests, allowing them to steal their credentials.

This is where passkeys come in, a strong and phishing-resistant authentication method. A passkey is a unique cryptographic key pair that is associated with a specific app or website. This way it can’t be used with a fake website or app.

A passkey is stored on a device, like a Yubikey, or your mobile phone. The important part here is that the key never leaves the devices. To authenticate, you use either a PIN or biometric to unlock the secret which is used for the authentication.

Another important part of passkeys is that the device will need to be in close proximity to the client. In the case of a Yubikey, this is done through USB, but also NFC, TPM, or Bluetooth can be used for this.

How do passkeys work

So how does a passkey work? Let’s take a brief look at the initial registration and authentication flow:

  1. Registration: The user’s device creates a new public-private key pair. The public key is sent to the online service for future authentication, while the private key remains securely stored on the device.
  2. Authentication: During the authentication, the service requests an authentication signature. The user’s device will prompt the user to consent to the authentication, using a PIN or Biometric. When the user consents, an authentication signature is created with the private key.
  3. Verification: The service receives the signature and uses the stored public key to verify that it was indeed created with the corresponding private key. If the signature is valid, the service grants access to the user.

Enable Authenticator Passkeys in Microsoft Entra ID

To use passkeys in Microsoft Authenticator, we first need to allow users to sign in using a passkey in Authenticator. We can’t use the Microsoft Authenticator policy for this, but instead, we will need to edit the FIDO2 security key authentication policy.

  1. Open Microsoft Entra Admin Center
  2. Expand Protection and open Authentication Methods
  3. In the Policies, open the FIDO2 Security Key
enable passkeys Microsoft Authenticator
  1. Make sure that it’s enabled and select All users or add a group
  2. Click on Configure
  3. Configure the FIDO2 security settings as follows:
    • Allow self-service setup – Yes
    • Enforce attestation – No
    • Enforce key restrictions – Yes
    • Restrict specific keys – Allow
  4. Select either the Microsoft Authenticator (preview) checkbox or add the following two AAGUIDs in the key restriction list:
    • de1e552d-db1d-4423-a619-566b625cdc84 (used for Authenticator on Andriod)
    • 90a3ccdf-635c-4729-a248-9b709135078f (used for Authenticator on iOS)
  5. Click Save when done
configure FIDO2 security key settings

Note

If you organization is already using passkeys, then make sure that you add the AAGUIDs of those keys as well to the restriction list.

Using PowerShell

We can of course also use PowerShell to enable and configure the FIDO2 security key in Microsoft Entra ID. Make sure that you have the Microsoft Graph PowerShell module installed.

The first step is to connect to Microsoft Graph with the correct permission scope, in this case, the Policy.ReadWrite.AuthenticationMethod scope. Next, we create the request body which we use to update the policy.

# Connect to MgGraph
Connect-MgGraph -Scopes Policy.ReadWrite.AuthenticationMethod

# Create the FIDO2 configuration 
$params = @{
	"@odata.type" = "#microsoft.graph.fido2AuthenticationMethodConfiguration"
	state = "enabled"
    isSelfServiceRegistrationAllowed = "true"
	isAttestationEnforced = "true"
    keyRestrictions = @{
        isEnforced = "true"
        enforcementType = "allow"
        aaGuids = @(
            "90a3ccdf-635c-4729-a248-9b709135078f",
            "de1e552d-db1d-4423-a619-566b625cdc84"
        )
    }
}

# Apply the FIDO2 configation
Update-MgPolicyAuthenticationMethodPolicyAuthenticationMethodConfiguration -AuthenticationMethodConfigurationId "Fido2" -BodyParameter $params

After you have updated the policy, you can verify the configuration with the following PowerShell command:

Get-MgPolicyAuthenticationMethodPolicyAuthenticationMethodConfiguration -AuthenticationMethodConfigurationId "Fido2" | select -ExpandProperty AdditionalProperties

Register Passkey using Microsoft Authenticator

With Microsoft Entra ID set up to support FIDO2 authentication and passkey in Microsoft Authenticator, we can now create a passkey in Microsoft Authenticator.

Note

Follow the steps below exactly, even if you already have an account in Microsoft Authenticator.
  1. Open the Microsoft Authenticator app
  2. Tap on the + Plus icon to add an account
  3. Choose Work or school account
  4. Tap on Sign In
  5. Type in your email address and complete your MFA flow
  6. You might see a page “Sign in with your phone”, just click on Continue
  7. Tap on Settings to open your mobile phone settings
  8. Go to Passwords & Accounts and ensure that Authenticator is enabled as an additional provider
  9. Tap back to return to the Authenticator app and click on Done
  10. The app will create a Passkey and additional ways to sign in

Sign in with Passkeys in Authenticator

With everything configured, we can now sign in with our passkey. The first time this requires a couple of steps, but from then on it’s a bit easier.

So the first time you want to sign in with your passkey and the Microsoft Authenticator app in Microsoft 365, you can click on Sign-in options (1). You don’t need to enter an email address, we will only do this after the initial authentication flow.

Next, we choose Face, Fingerprint, PIN, or security key. Now depending on your device, you can be prompted to sign in with either Windows Hello for Business. Just click on using a different security key, and choose to use a Phone, Tablet or Security key.

Eventually, you will get the option to select an iPhone, iPad, or Android device with a QR code icon. Choose that option and scan the QR code with your phone

windows sign in

Follow the steps on your phone and select the passkey in your Microsoft Authenticator. You will probably get the option to use the passkey as the default sign-in option, make sure that you select this.

Unlock your passkey with your biometrics and you should be sign-in to Microsoft 365.

Now this flow doesn’t seem to be really user-friendly at first. But when you have signed in with your passkey once, you will be automatically prompted to authenticate with your passkey again in Microsoft 365. So now you only have to enter your email address, after which you can select your phone to authenticate. You only need to unlock your passkey with your biometrics and you are authenticated.

You will see that this authentication flow is a lot easier, and takes pretty much the same amount of time as using MFA to authenticate. However, the advantage is that this method is more secure and phishing-resistant.

Enforce passkey for sign-in

When you have rolled out the passkey in your organization, you can start to enforce the passwordless sign-in when a user accesses a sensitive resource. For example, when a user accesses an Azure Portal, we want to make sure that they use passwordless authentication.

To do this, we can use conditional access policies. I have written a guide on how to create your own policies, make sure that you check that out. So in the policy, we can now use the default authentication strength Phishing-resistant MFA authentication strength.

force passwordless sign in

Wrapping Up

Passwordless authentication is the way to go, and passkeys in Microsoft Authenticator make implementing this a lot easier. Most users already have the Authenticator app installed and are used to the MFA flow. So moving from MFA to unlocking your passkey is just a small step.

The first time authenticating with the passkey does require you to click through some screens, but with a good internal guide, this is easy to roll out to your users.

Definitely give this new authentication flow a try, it only takes a couple of minutes to set up for your tenant.

Hope you liked this article, and the passkey in Microsoft Authenticator. If you have any questions, just drop a comment below.

3 thoughts on “How to use Passkeys in Microsoft Authenticator for Microsoft Entra ID”

  1. First I’d like to thank you for the articles helping me setup my Ubiquiti network. And, passkeys are not great, nor are they convenient. If you use MS, Google, or Apple to manage them, you can’t export them for use elsewhere. Platform lockin. Also, aren’t they per machine unlike passwords? Hardly seems worth it, plus, if I have to go through what you just graciously showed us, plus have to use MS products, I want no part of it.

  2. I’m not seeing the “Microsoft Authenticator (preview)” checkbox in my tenant. Will it work if I just add the AAGUIDs?

Leave a Comment

0 Shares
Tweet
Pin
Share
Share