How to enable Passkeys for the Microsoft Authenticator app

FIDO2 authentication is a secure and convenient method for users to sign in to Microsoft Entra without having to enter a username or password. It does this by providing a set of cryptographic login credentials that are unique, never leave the users device and are never stored on the server. 

Microsoft have expanded their supported FIDO2 security methods for signing in to Microsoft Entra to include the Microsoft Authenticator app, making FIDO2 authentication available to everyone without having to purchase a specific FIDO2 compliance piece of hardware.

In this post, I will show you how to enable Passkeys for Microsoft Authenticator in Microsoft Entra and the steps required to register a passkey on your device.

What are Passkeys?

Passkeys are designed to help reduce over-reliance on passwords by creating a phishing-resistant authentication mechanism for anyone to use. It does this by utilising a key pair authentication mechanism, where one half of the pair is stored on the authentication server (Public key) and the other half is stored and protected on a users hardware device (Private key). 

The important bit is how the private key is protected on the hardware device. Dedicated hardware authentication devices can be purchased, such as the YubiKey, which protects the private key with its hardware elements. When a users attempts to login with a Yubikey, a challenge is sent to the authenticating user, that challenge is then signed using the private key on the device (usually after the user verifies themselves using a biometric authentication mechanism) and is sent back to the authentication server. If the private and public keypair matches, the user will be logged in. 

The same goes for mobile devices, such as an iPhone and the Microsoft Authenticator app. In this scenario, the private key is stored using the iPhones secure Keychain and the biometric authentication mechanism is handled by the Microsoft Authenticator app (or iPhone).

Requirements

The following requirements must be met to successfully enable Passkeys in Microsoft Entra for the Microsoft Authenticator app:

  • Microsoft Multi-factor authentication must already be enabled for your target users.
  • Android 14 and later or iOS 17 and later
  • The latest version of Microsoft Authenticator (6.8.7 or later)
  • Bluetooth must be enabled on your devices (mobile and desktop)

How to enable Passkeys for Microsoft Authenticator

1. Log in to Microsoft Entra.

2. Expand Protection and select Authentication Methods > Policies.

3. Select the method Passkey (FIDO2) and select All users or target a specific group for the authentication method. (I recommend you select All users).

4. Select the Configure tab.

5. Set Enforce key restrictions to Yes and set Restrict specific keys to Allow.

I recommend you set Enforce key restrictions to Yes as this will ensure only specific passkey can be registered for your users. Ideally, limit this to only the Microsoft Authenticator Passkey.

6. Check the box next to Microsoft Authenticator (preview). Otherwise, add the following AGUIDs to enable Authenticator for iOS or Android:

  • Authenticator for Android: de1e552d-db1d-4423-a619-566b625cdc84
  • Authenticator for iOS: 90a3ccdf-635c-4729-a248-9b709135078f

Enable Passkeys for Microsoft Authenticator with Microsoft Graph PowerShell

Alternatively, you can use Microsoft Graph PowerShell to enable FIDO2 Passkeys for Microsoft Authenticator. Use the below example to connect to Microsoft Graph, consent to the required permissions and enable Passkeys.

Connect-MgGraph -Scopes Policy.Read.All, Policy.ReadWrite.AuthenticationMethod

$body = @{
    "@odata.type" = "#microsoft.graph.fido2AuthenticationMethodConfiguration"
    "includeTargets" = @(
        @{
          "id" = "all_users"
          "isRegistrationRequired" = $false
          "targetType" = "group"
        }
    )
    "isAttestationEnforced" = $false
    "keyRestriction" = @{
        isEnforced = $true
        enforcementType = "allow"
        aaGuids = @(
            "90a3ccdf-635c-4729-a248-9b709135078f",
            "de1e552d-db1d-4423-a619-566b625cdc84"
        )
    }
}

Invoke-MgGraphRequest -Method PATCH -Uri "/beta/authenticationMethodsPolicy/authenticationMethodConfigurations/FIDO2" -Body $body

Setup your Passkey for Microsoft Authenticator

Once Passkeys are enabled in your tenant for Microsoft Authenticator, you can encourage your users to follow the steps to set up their passkey. The fastest option is for them to add the sign-in method from their mobile device, however, the same process can also be followed from their desktop web browser.

Ensure you are on at-least version 6.8.7 of the Microsoft Authenticator app for iOS.

Register your passkey using your mobile device

1. On your mobile device, Navigate to aka.ms/mysecurityinfo.

2. Click Add sign-in method and select Passkey in Microsoft Authenticator.

Select Passkey in Microsoft Authenticator

3. On the Add a passkey popup, click Next.

Add a passkey

4. You will be prompted to configure your device to enable passkeys to be saved to Microsoft Authenticator, follow the steps on the pop-up window, then click Continue.

Turn on passkey

5. Select I understand on the important information window.

Select I understand

6. Select Authenticator to create a passkey and click Continue.

Select Authenticator

7. Your passkey has now been successfully created!

IMG_1191

Enforce Passkeys for your users

Once your users have passkeys enabled, you should consider enforcing the use of passkeys with Conditional Access policies. Follow the steps below to enforce the use of passkeys authenticating to Microsoft Authenticator.

Step 1: Create a new Authentication strength

1. Login to Microsoft Entra.

2. Expand Protection and select Conditional Access > Authentication Strengths.

3. Click New Authentication Strength.

4. Define a name, then check the box next to Passkeys (FIDO2) and click Advanced options.

5. Enter the following AADGUIDs:

  • de1e552d-db1d-4423-a619-566b625cdc84
  • 90a3ccdf-635c-4729-a248-9b709135078f

6. Click Next then Save.

Step 2: Enforce with Conditional Access

1. From the Microsoft Entra portal, expand Protection and select Conditional Access > Policies.

2. Click New Policy and give the policy a name.

3. Assign your target users and target resources. I recommend you start off with a small handful of users targeting all resources.

4. Under Access controls, select Grant > Require authentication strength, then select your new policy.

5. Set the policy to On and click Create.

Testing the Passkey sign-in experience for Microsoft Authenticator

Once passkeys are enable, it is quick an easy to sign-in to your account using the Passkey saved in your Microsoft Authenticator app. To test, simply login to office.com and web prompted to Sign in with your password, click Continue.

Log in to Microsoft Entra with Passkeys

Daniel Bradley

My name is Daniel Bradley and I work with Microsoft 365 and Azure as an Engineer and Consultant. I enjoy writing technical content for you and engaging with the community. All opinions are my own.

Leave a Reply