Only a few months until Microsoft Entra ID will support device-bound passkeys stored on computers and mobile devices as an authentication method in preview, in addition to the existing support for FIDO2 security keys. This enables your users to perform phishing-resistant authentication using the devices that they already have.
What is a device-bound passkey?
First, let’s zoom in a little on device-bound passkeys. This is a FIDO2 Discoverable Credential that is bound to a single authenticator. For example, FIDO2 security keys typically hold device-bound passkeys as the credential cannot leave the device. Device-bound passkeys have been previously referred to as single-device passkeys.
For this reason, the current FIDO2 security methods policy in Entra ID will be expanded to support the use of passkeys. So, if your organization already uses FIDO2 security keys for phishing-resistant authentication (good job!), it’s time for action!
If your organization requires or prefers FIDO2 authentication using physical security keys only, then please enforce key restrictions to only allow security key models that you accept in your FIDO2 policy. Otherwise, the new preview capabilities enable your users to register for device-bound passkeys stored on Windows, macOS, iOS, and Android.
Key Restriction Policy
You can use the FIDO2 Key Restriction Policy to specifically block or allow types of FIDO2 keys. This is done based on the AAGUID of the key. Most of the FIDO2 security keys have a unique AAGUID that can be used to either block or allow the key. In this example, I’ve blocked one specific key in Entra ID.
Where can I find these AAGUIDs?
Most of these AAGUIDs can be found on the website of the vendor. For example:
YubiKey Hardware FIDO2 AAGUIDs – Yubico
Products – FIDO Security Keys (ftsafe.com)
The AADGUID can also be found in the Microsoft Entra admin center under the authentication methods blade of the user.
Graph API can also show the AAGUID when running:
GET https://graph.microsoft.com/beta/users/userID/authentication/methods
Here’s a script by Fabian Bader to do an inventory on existing FIDO AAUGUIDs: List all AAGUIDs in an Entra ID / Azure AD tenant (github.com)
Or check this method, created by Nathan McNulty:
Install-Module Microsoft.Graph
Connect-MgGraph -Scope AuditLog.Read.All,UserAuthenticationMethod.Read.All
((Get-MgReportAuthenticationMethodUserRegistrationDetail -Filter "methodsRegistered/any(i:i eq 'passKeyDeviceBound')" -All).Id | ForEach-Object { Get-MgUserAuthenticationFido2Method -UserId $_ -All }).AaGuid | Select-Object -Unique
Time for action
Microsoft will use the FIDO2 authentication method UX to integrate the new device-based passkeys into Entra ID. So, when you’re currently using FIDO2 keys, but don’t use the Key Restriction Policy, device-based passkeys will be enabled by default. If you want to control the use of passkeys, make sure you only allow the FIDO keys you currently support/allow in your tenant. This will automatically block the device-bound passkeys when it arrives.
Be aware that key restrictions set the usability of specific FIDO2 methods for both registration and authentication. If you change key restrictions and remove an AAGUID you previously allowed, users who previously registered an allowed method can no longer use it for sign-in.
Learn more:
Passwordless security key sign-in – Microsoft Entra | Microsoft Learn
What’s new? Release notes – Microsoft Entra | Microsoft Learn
Pingback: Microsoft Roadmap, messagecenter en blogs updates van 24-10-2023 - KbWorks
Will this new passkey in Entra support FIPS 140-2 like some of the physical YubiKeys do?
Pingback: Intune Newsletter - 27th October 2023 - Andrew Taylor
Why the hate for Yubikey? (crossed out url) 😉
Hey Arian,
that was caused by my broken link detector. I have now whitelisted the URL, so the strikethrough is gone.
I had indeed set some restrictions to allow certain AAGUID’s (Yubikey 😉 so I guess therefore I wouldn’t see the passkey options. I did test what happens when removing and reapplying AAGUID restrictions and as expected the registered ones where blocked respectively or could be used again when allowed again. So currently no AAGUID restrictions anymore eagerly awaiting the passkey functionality. ‘My body is ready’ (thats a meme ofcourse 🙂
Still nothing right? At least I am not seeing anything in my tenant just yet
Nope, they pushed back to March.
Thank for the update Jan. Any official link that states the pushback?
Yes, in the M365 admin center: https://admin.microsoft.com/Adminportal/Home?ref=MessageCenter/:/messages/MC690185
Still nothing?
No, nothing here yet.
Anyone?
We have it enabled and works to a point. Device bound passkeys work a treat on Win11 but not so sweet on mobile. Works to the point of saving it in myaccess>security then baulks with some obscure error message. The passkeys do get created on the mobile device but it just doesn’t save in Entra. Support case opened with the product group.
Pingback: Get started with passkeys in Microsoft 365 - JanBakker.tech