Open Menu
×Close Menu
ARTICLE

FIDO2, Passkeys, Passwordless and How to Configure These in Entra ID - Part II

Anton

Setting up FIDO2 keys for Entra ID and M365 Web Apps and Services

Scenario

DISCLAIMER - this scenario is made up just to demonstrate how to configure these solutions and how they work together. Please do your due diligence to ensure you have a completely secure solution without any security gaps.
 

I have an organization with Conditional Access Policies in place that only allow clients to log into Office from their corporate devices. When logging in from their corporate device, they're required to merely input their UPN, a password and satisfy an MFA challenge.

Now, I have some users that require the ability to access office apps (SharePoint, Email) from a BYOD device.

requirements

Requirements

 

Enable FIDO2 Security Key Method

STEP 1

Log into Entra and navigate to Protection -> Authentication Methods and select "FIDO2 security key" method

step 1

 

STEP 2

Toggle the "Enable" slider and select All users or a group. For this use case, I am going to create a new group to scope this authentication method and upload the group "MC-FIDO2-Pilot":

STEP 2

 

STEP 3

Now, select the "Configure" tab to configure some optional settings for our FIDO2. Under General, we will select "Yes" for "Allow self-service set up" and "Enforce attestation". Under Key Restriction Policy, leave Enforce Key Restriction set to No and then hit Save.

STEP 3Note, we could select Yes for "Enforce key restrictions" so as to only allow FIDO2 keys from specific vendors.

Enforcing FIDO2 with Conditional Access Policies

Step 1

In Entra, navigate to Protection --> Conditional Access and create a new CA policy. Give you policy a name and then under Assignments, select your group that you created:

STEP 4

 

Step 2

Under Target resources, we will select Office 365 cloud app:

STEP 5Under Conditions, I have added a filter for devices to exclude compliant and EntraID joined devices because I only want FIDO2 enforced when authentication attempts come from non-corporate devices.

STEP 6

 

Step 3

Now, under the grant controls, instead of selecting "Require multifactor authentication", let's select "Require authentication strength" and in the dropdown list, select "Phishing-resistant MFA". Hit Select and then save the policy.

*Always test new CA Policies in Report-only mode before turning on to ensure you do not lock yourself or users out*

STEP 7

End User FIDO2 Security Key Enrollment

Now that you have configured your Conditional Access and Authentication Methods policies to use FIDO2, it's time for your end user to set it up.

There are 2 scenarios here to consider - either a brand new hire is setting up their authentication methods for the first time.

Or, you're deploying this to users that have already configured other authentication methods.

In both cases, leveraging Temporary Access Pass (TAP) is the best way to bootstrap stronger, phishing-resistant methods even if other less secure methods have already been setup. But for my scenario, users have already setup MFA with the MS Authenticator app and so, I will use this scenario.

Logging in from personal computer for first time

Patti F has been provided a new FIDO2 key and is going to sign into Office.com from her personal computer for the first time since the policies were configured by her organization. After entering her UPN and password, she is prompted to setup more secure methods.

STEP 1

sp 1

After clicking Next, she is prompted for MFA and the MS Authenticator app on her Android device is asking for a number. This is because there is an existing CA Policy that requires MFA when setting up new MFA methods - see my earlier article here on setting up CA policy that requires MFA for setting up new authentication methods.

STEP 2

She is then advised that a stronger authentication method is required to be set up and she is provided a link to "My security info":

sp 2

Patti can then select "Add sign-in method" and can select "Security key" from the drop down.

sp 3

 

STEP 3

She is then prompted to select the type of Security Key being set up. Please review Microsoft's list of vendors known to be compatible with the passwordless experience:

SP 4

Patti is using an Identiv FIDO2 security key and has been instructed by her organization to select NFC. Patti click's next to continue with the FIDO2 enrollment:

SP 5

SP 6

 

STEP 4

Now, because of FIDO Alliance and these big technology companies working together to come up with a passwordless standard, Windows 10 (version 1903) and higher support FIDO2 win 32 WebAuthn platform APIs and Windows drives the FIDO2 security key enrollment:

Windows now prompts the user to select where they would like to save the private keys. We are going to select Security Key to save the private keys to our FIDO2 security key and select Next:

SP 7

SP 9

 

STEP 5

Select OK on the subsequent prompts to continue with the enrollment:

sp 10

Insert your USB FIDO2 security key into your USB port and continue following the prompts on the screen:

sp 11

 

STEP 6

After inserting the FIDO2 key, I am prompted to setup a pin. In simple terms, this pin is used to unlocked the private key on the FIDO2 Security Key that is used to sign the nonce sent by Entra ID.

sp 12

I am then prompted to "touch" my FIDO2 key to prove "proof-of-presence". This technology is NFC:

sp 13

sp 14

 

STEP 7

After clicking OK, I can then give my FIDO2 Security Key a name:

SP 15

And that's it; you're all set!

SP 16

 

Demonstration

Now, when Patti is on her corporate device and logs into Office, she is merely prompted for MFA and can satisfy the challenge by merely entering the number for number matching MFA.

However, when Patti tries to log into Office from a personal device, after entering her UPN, she is not given the opportunity to input a password; right away, she is prompted to insert her FIDO2 Security Key and authenticate with a phishing-resistant, passwordless method!

demos      demo 1

Share This

Call Us

1.866.328.5538

© 2025 BULLETPROOF, a GLI Company Headquarters