PS >cloudkreise

Get ready for passkey support in Entra ID

Microsoft just announced the coming support for Passkeys in Entra ID on Ignite 2023. Passkeys are unique codes or passwords that provide secure access to a device, system or service. They’re a form of multi-factor authentication and are considered a safer and easier replacement for traditional passwords.

FIDO2 is an open standard for passwordless authentication and hopefully the future. Passkeys use that very standard to create such a device bound virtual key. Already supported by Entra id are physical FIDO2 security keys.

Microsoft now announced the public preview of registering FIDO2 security keys for early 2024. In default the registration of FIDO2 hardware security keys is enabled for all users in an Entra ID tenant.

That very same setting will then apply for FIDO2 passkeys and allow every users to register their private mobile phone that’s running iOS 16 or android 9 and later.

The choice is yours. You can either let every user enjoy it, scope it to a group of users or limit it to specific security keys models. If your current settings did allow the registration, then it’s probably a good idea to take a look at what keys did your users currently register in your Entra ID tenant.

To get a list auf FIDO2 security key models you have to query the following command using the Microsoft Graph PowerShell SDK.

Connect-MgGraph -Scopes ‘
"User.Read.All","UserAuthenticationMethod.Read.All" ‘
-ContextScope Process

Get-MgUser -All | % { Get-MgUserAuthenticationFido2Method -UserId $_.Id }

The output will look like in the following screenshot an can be easily exported to json or csv.

Unfortunately there is no manufacturer-independent list for all FIDO2 security keys, so you have to take a look at every manufacturers homepage like Yubikey, Nitrokey or Solokey and search the security key models AaGuid by hand.