How to Enable Passkeys in Microsoft Authenticator

Let’s discuss how to Enable Passkeys in Microsoft Authenticator. This article explains enabling and enforcing passkeys in Microsoft Authenticator for Microsoft Entra ID.

First, you must update the Authentication methods policy to allow end users to register and sign in with passkeys in Authenticator. Authenticators adjust the settings to permit users to use passkeys as a form of authentication.

By doing this, users can set up and use passkeys as one of their authentication methods when signing in to their accounts through Microsoft Authenticator. Once you have enabled passkeys, you can use Conditional Access authentication strengths policies to ensure users use their passkeys when trying to access essential data.

Conditional Access lets you set rules for when users can access data. For example, you could rule that they must use their passkeys to sign in when accessing essential things. This adds an extra layer of security by ensuring only authorized users with their passkeys can access sensitive stuff.

Patch My PC
[sibwp_form id=2]

What Do You Need to Use Passkeys with Microsoft Entra MFA?


To use passkeys with Microsoft Entra MFA, you need the following.

1. Microsoft Entra multifactor authentication (MFA) is enabled for your account.
2. An Android device running version 14 or later or an iOS device running version 17.
3. An active internet connection on any device involved in the passkey registration or authentication process.

How to Enable Passkeys in Microsoft Authenticator in the Entra Admin Center

You can easily enable passkeys in Microsoft Authenticator by authenticating directly in the app. Here are the steps to help them. Configuring these settings allows your organization’s users to use passkeys in Microsoft Authenticator.

Read More – Passkeys Now Available in Microsoft Entra ID

Note! To use a passkey with Microsoft Authenticator, users must ensure they have the latest version of the app installed on their Android or iOS device.

Access the Entra Admin Center. Go to Protection > Authentication methods > Authentication method policy. Under the FIDO2 security critical method, choose All users or specific groups (only security groups are supported).

Adaptiva
How to Enable Passkeys in Microsoft Authenticator - Fig.1
How to Enable Passkeys in Microsoft Authenticator – Fig.1

FIDO2 security keys are a phishing-resistant, standards-based, passwordless authentication method that various vendors use. They are not usable in the Self-Service Password Reset flow.

  • Under the FIDO2 security critical method, choose All users or specific groups (only security groups are supported).
How to Enable Passkeys in Microsoft Authenticator - Fig.2
How to Enable Passkeys in Microsoft Authenticator – Fig.2

The below screenshot shows the Configure tab. The Configure tab is the 2nd tab in FIDO2 security key settings. On the Configure tab, adjust the following settings.

  • Allow self-service setup: Yes
  • Enforce attestation: No
  • Enforce key restrictions: Yes
  • Restrict specific keys: Allow
How to Enable Passkeys in Microsoft Authenticator - Fig.3
How to Enable Passkeys in Microsoft Authenticator – Fig.3

Select “Microsoft Authenticator (preview)” if the option is available. If not, manually add the following AAGUIDs. Users cannot set up a passkey in Microsoft Authenticator on Android if the restriction is enforced.

  • Authenticator for Android: de1e552d-db1d-4423-a619-566b625cdc84
  • Authenticator for iOS: 90a3ccdf-635c-4729-a248-9b709135078f
How to Enable Passkeys in Microsoft Authenticator - Fig.4
How to Enable Passkeys in Microsoft Authenticator – Fig.4

Enable Passkeys in Authenticator using Graph Explorer

Besides using the Microsoft Entra admin center, you can activate passkeys in Authenticator through Graph Explorer. Global Administrators and Authentication Policy Administrators can modify the Authentication methods policy, enabling the AAGUIDs for Authenticator.

To retrieve the Authentication methods policy, start by signing in to Graph Explorer and granting consent to the Policy.Read.All and Policy.ReadWrite.AuthenticationMethod permissions. Once you’ve done this, you can access and retrieve the Authentication methods policy.

GET https://graph.microsoft.com/beta/authenticationMethodsPolicy/authenticationMethodConfigurations/FIDO2

Execute a PATCH operation with the specified request body to turn off attestation enforcement and enforce key restrictions exclusively for AAGUIDs related to Microsoft Authenticator.

PATCH https://graph.microsoft.com/beta/authenticationMethodsPolicy/authenticationMethodConfigurations/FIDO2

Request Body:
{
    "@odata.type": "#microsoft.graph.fido2AuthenticationMethodConfiguration",
    "isAttestationEnforced": false,
    "keyRestrictions": {
        "isEnforced": true,
        "enforcementType": "allow",
        "aaGuids": [
            "90a3ccdf-635c-4729-a248-9b709135078f",
            "de1e552d-db1d-4423-a619-566b625cdc84"

            <insert previous AAGUIDs here to keep them stored in policy>
        ]
    }
}

You should ensure that the passkey (FIDO2) policy is updated correctly to maintain security and efficiency in your authentication system.

GET https://graph.microsoft.com/beta/authenticationMethodsPolicy/authenticationMethodConfigurations/FIDO2

Remove a Passkey Associated with User Account

You can quickly delete a passkey. To delete a passkey linked to a user account, you must remove the key from their authentication methods. The following are the steps to delete the passkey.

  • Go to the Microsoft Entra admin center and log in.
  • Click on “Authentication methods“.
  • Find the FIDO2 security key associated with the user, right-click on it, and choose “Delete”.
  • The passkey has been removed from the user’s account.
How to Enable Passkeys in Microsoft Authenticator - Fig.5 - Creds to MS
How to Enable Passkeys in Microsoft Authenticator – Fig.5 – Creds to MS

We are on WhatsApp now. To get the latest step-by-step guides, news, and updates, Join our Channel. Click here. HTMD WhatsApp.

Author

About the Author: Vidya is a computer enthusiast. She is here to share quick tips and tricks with Windows 11 or Windows 10 users. She loves writing about Windows 11 and related technologies. She is also keen to find solutions and write about day-to-day tech problems.

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.