Go passwordless with Microsoft Entra Passkeys in Microsoft Authenticator

Microsoft Entra ID passkeys are now in Public Preview! Let me show you in this blog post how to go passwordless with Microsoft Entra ID passkeys in Microsoft Authenticator.

Microsoft announced this week that additional support for device-bound passkeys in the Microsoft Authenticator app on iOS and Android for customers with the strictest security requirements.

In this blog post, we will use device-bound passkeys in Microsoft Authenticator. The advantages of hosting passkeys on a device are:

  • Organizations don’t have to provision dedicated hardware
  • Users are less likely to lose track of their daily computing device
  • It’s easy to sign in with a passkey hosted on a user device

Source: Public preview: Expanding passkey support in Microsoft Entra ID – Microsoft Community Hub

Enough of the theory! Now let’s go to the fun part!

Requirements

First things first! What do we need to get started?

  • Multifactor Authentication needs to be active for your Microsoft Entra ID users
  • Android devices need to be at least Android 14 or later
  • iOS devices need to be at least iOS 17 or later
  • Microsoft Authenticator app needs to be installed on your device. (Android/iOS)

Enable Microsoft Entra ID Passkeys

The first step we need to do is to enable passkeys in the Microsoft Entra admin center. Therefore we are going to configure the FIDO2 security key method. I know it’s a bit confusing but the Microsoft Authenticator policy doesn’t have the option to enable passkeys in Authenticator.

Go to https://entra.microsoft.com and log in as your administrator (you must be at least an Authentication Policy Administrator). Navigate to Protection | Authentication Methods | Policies and select the FIDO2 security key.

Now Enable the settings and leave the All users group as target. You can also specify a certain (security) group if you want.

Go to the Configure tab and set the following:

  • Allow self-service set up: Yes (This will allow the end-user to register a passkey)
  • Enforce attestation: No (Needs to be set to No, because it isn’t available in Preview)
  • Enforce key restrictions: Yes (This allows the organization to allow/block certain passkeys)
  • Restrict specific keys: Allow

Also, add the following Authenticator Attestation GUID (AAGUID):

  • Android Authenticator: de1e552d-db1d-4423-a619-566b625cdc84
  • iOS Authenticator: 90a3ccdf-635c-4729-a248-9b709135078f
Microsoft Entra - Authentication methods

Once everything is set up, select Save. The next step is to force a passkey login using an authentication strength.

In the Microsoft Entra Admin Centre, go to Protection Authentication Methods | Authentication Strengths and select + New authentication strength.

Microsoft Entra - Authentication strenghts

Give your new authentication strength a name and select Passkeys (FIDO2) as Phising-resistant MFA. Now choose Advanced options.

Microsoft Entra - Authentication strenghts

In the Advanced options add the AAGUID for the Android and iOS Authenticator we used before and choose Save.

Choose Next to review the configuration. After that choose Create.

The custom authentication strength is now created.

Microsoft Entra - Authentication strenghts

Your end-users are ready to use and register passkeys as an authentication method in your environment.

End-user experience

The end-user experience will have two part, registering a passkey and authenticating with the registered passkey.

Register a passkey using the Microsoft Authenticator app

Now that everything is set, the end-user can register his/her passkey in Microsoft Authenticator.
This procedure is done on a Samsung Galaxy S23 Ultra and could be different from other devices.

Open the Microsoft Authenticator app and choose the +, choose Work or school account and then Sign in with your account.

Once your signed in, you’ll need to enable some local settings by enabling Microsoft Authenticator as additional provider. Be aware that the screenshots may vary then yours. This will depends on what device you use. After enabling Microsoft Authenticator, go pass to the app and choose Done.

Once the account is added a passkey will be created, now choose Continue. You are now ready to use a passkey to authenticate.

Authenticate to Microsoft 365 with your passkey

Go to https://myaccount.microsoft.com and type your username and press Enter. You now see the option Use your face, fingerprint, PIN or security key instead. Choose this option instead of your password.

Once you chose the new option, you will be redirected to the following screen. If the registration went well, you’ll see the name of your device show up. Did you noticed I’m a Star Wars fan?
Now choose your device and select Next.

Your device will now try to connect with your Microsoft Authenticator app using a passkey.

You will receive a notification on your Android device, choose Sign in.

Tadaaaa! You are now signed in into your account without using a password, but a passkey instead.

If you now go to https://mysignins.microsoft.com/security-info, you’ll see a registration of the passkey.

So this is how we enable

Nicky De Westelinck

Nicky De Westelinck is a Modern Workplace Expert for Arxus with several years of experience in Microsoft 365. His main focus is Microsoft Intune and Microsoft 365 Administration. He is also a Microsoft Certified Trainer since 2021.

View all posts by Nicky De Westelinck →