Configuring FIDO2 Keys for Passwordless Authentication in Entra ID

Complete Guide to Implementing Passwordless Authentication with FIDO2 in an Entra ID and Intune Environment for Windows 10 and 11 Devices

Contents

1. Introduction
2. Prerequisites
3. Step 1: Enable FIDO2 Security Keys in Entra ID
4. Step 2: Restrict FIDO2 Key Models Based on AAGUIDs
5. Step 3: Enable and Use Temporary Access Pass (TAP) for Initial User Setup
6. Step 4: Register FIDO2 Security Keys for Users
7. Step 5: Configure Intune for FIDO2 and Windows Hello
8. Step 6: Configure Conditional Access Policies for Passwordless Authentication
9. Step 7: Testing and Rollout
10. Support and Troubleshooting
    • Common Support Scenarios
    • Troubleshooting Tips
    • Onboarding Users to FIDO2 Passwordless Authentication
    • Offboarding Users from FIDO2 Authentication
11. Conclusion

Introduction

If you're operating in a Microsoft Modern Cloud environment with Entra ID (formerly Azure AD) and Intune, moving to passwordless logins using FIDO2 security keys is easier than you may think. By utilizing Microsoft’s modern authentication ecosystem, you can boost security, simplify user logins, and eliminate passwords. This guide will walk you through the entire process, including configuring specific FIDO2 key model restrictions, enabling Temporary Access Pass (TAP) for initial access, managing onboarding and offboarding users, and providing troubleshooting and support for common issues.

Passwordless authentication reduces password-related risks, strengthens security, and makes login processes more efficient. Whether your environment is cloud-only or hybrid, Entra ID and Intune provide the tools to make this transition seamless.

Prerequisites

1. Entra ID (Azure AD): Properly configured and users synchronized from on-premise Active Directory (if hybrid).
2. Microsoft Intune: Deployed for device management.
3. FIDO2 Security Keys: Procure supported keys (e.g., YubiKey, Feitian, etc.).
4. AAGUIDs for FIDO2 Keys: Gather AAGUIDs (Attestation Identifiers) for the FIDO2 key models you want to allow.
5. Windows 10 (v1903 or later) / Windows 11 devices: Devices must have TPM 2.0 and support for biometrics (optional but recommended).
6. Azure AD Premium P1 or P2 license: Required for Conditional Access and TAP.
7. Modern authentication enabled: Ensure your environment supports modern authentication protocols like OAuth.

Step 1: Enable FIDO2 Security Keys in Entra ID

1. Sign into Microsoft Entra Admin Center:
   • Go to Microsoft Entra ID Admin Center.
2. Enable FIDO2 Security Key Authentication:
   • Navigate to Security -> Authentication methods -> FIDO2 Security Key.
   • Click on Enable and ensure the setting is enabled for all users or selected groups.
3. Configure User Self-Service (Optional):
   • In the FIDO2 Security Key settings, enable Self-service to allow users to register their own security keys.
4. Save the changes.

Step 2: Restrict FIDO2 Key Models Based on AAGUIDs

To enforce the use of specific FIDO2 key models, restrict based on AAGUIDs.

1. Identify Allowed FIDO2 Key Models:
   • Collect the AAGUIDs (Attestation Identifiers) for the key models you want to allow.
   • Example:
     • YubiKey 5 NFC: 00000000-0000-0000-0000-000000000001
     • YubiKey 5C: 00000000-0000-0000-0000-000000000002
2. Enable FIDO2 Key Attestation:
   • In the FIDO2 Security Key settings page, scroll down to Attestation and ensure that Enforce attestation is enabled.
3. Configure Allowed AAGUIDs:
   • Under AAGUIDs, input the AAGUIDs for the FIDO2 key models you want to allow.
   • Example:
     • YubiKey 5 NFC: 00000000-0000-0000-0000-000000000001
     • YubiKey 5C: 00000000-0000-0000-0000-000000000002
4. Block Unlisted AAGUIDs:
   • Enable Block unlisted AAGUIDs to prevent users from registering unauthorized FIDO2 key models.
5. Save the changes.

Step 3: Enable and Use Temporary Access Pass (TAP) for Initial User Setup

Temporary Access Pass (TAP) allows users to initially log in without a password to register their FIDO2 security keys or set up passwordless authentication methods. TAP is especially useful for users who have lost their existing authentication methods or for initial enrollment.

1. Enable TAP in Entra ID:
   • Sign into the Microsoft Entra Admin Center.
   • Navigate to Security -> Authentication methods -> Temporary Access Pass.
   • Toggle Enable TAP to Yes and configure the following options:
     • Lifetime of TAP: Choose a reasonable time window (e.g., 1 hour to 24 hours) for users to complete their key registration.
     • Use Cases: Set TAP to be used for first-time FIDO2 registration or to recover access in case of key loss.
2. Assign TAP to Users:
   • Navigate to Users -> Select a user -> Authentication methods.
   • Generate a Temporary Access Pass for the user by specifying the validity duration and usage restrictions.
3. Distribute TAP:
   • Provide the TAP to users via a secure communication channel (email or in-person) so they can log in and set up their FIDO2 security keys.
4. User Action with TAP:
   • The user can now log in using the Temporary Access Pass by navigating to https://mysignins.microsoft.com/security-info.
   • After logging in with TAP, the user should follow the prompts to register their FIDO2 key.

Step 4: Register FIDO2 Security Keys for Users

1. User Registration with TAP:
   • Once logged in using TAP, the user should visit My Security Info at https://mysignins.microsoft.com/security-info.
   • Click Add Method, select Security Key, and follow the prompts to register their FIDO2 key.
2. Encourage Backup Key Registration:
   • It’s recommended that users register multiple security keys for redundancy in case of loss.

Step 5: Configure Intune for FIDO2 and Windows Hello

1. Sign into Microsoft Endpoint Manager (Intune):
   • Go to Microsoft Endpoint Manager Admin Center.
2. Create a Device Configuration Profile:
   • Navigate to Devices -> Configuration profiles.
   • Select Create Profile -> Windows 10 and later -> Identity Protection.
3. Configure Windows Hello for Business:
   • Set Configure Windows Hello for Business to Enabled.
   • For Use Biometrics, set this to Yes if you want to allow biometric authentication as part of the Windows Hello experience.
4. Allow FIDO2 Security Keys:
   • Ensure that Allow FIDO security keys is enabled.
5. Assign the Profile:
   • Under the Assignments section, assign the profile to the relevant device groups.
6. Save and deploy the policy.

Step 6: Configure Conditional Access Policies for Passwordless Authentication

1. Sign into Microsoft Entra Admin Center.
2. Set Up Conditional Access Policy:
   • Go to Security -> Conditional Access -> New Policy.
   • Assign the policy to users or groups using FIDO2 passwordless sign-in.
3. Require Authentication Strength:
   • Under the Grant section, select Require authentication strength.
   • Set the strength to Passwordless (this includes FIDO2 keys, Windows Hello, and certificates).
4. Save the Conditional Access policy.

Step 7: Testing and Rollout

Once the setup is complete, you need to verify that users can successfully sign in with their FIDO2 security keys and ensure the policies are applied correctly across all Windows 10 and 11 devices.

Step 7.1: Verify FIDO2 Sign-In on Windows Devices

1. Test User Sign-In:
   • On a Windows 10 or 11 device, navigate to the sign-in screen.
   • Select Sign-in options -> FIDO2 security key (or Windows Hello if using biometrics).
   • Insert the registered FIDO2 security key, tap, and authenticate.
   • If configured, the user may also be prompted to use biometrics (such as a fingerprint).
2. Test Across Devices:
   • Have users test their FIDO2 key sign-in on various devices they typically use to confirm compatibility and authentication flow.

Step 7.2: Monitor AAGUID Restrictions

1. Review Registration Attempts:
   • Ensure that only FIDO2 keys with approved AAGUIDs are being used.
   • Any attempts to register unauthorized keys should be blocked, and users will see an error indicating their key is not supported.
2. Check Logs:
   • In Microsoft Entra Admin Center, navigate to Sign-In Logs and filter by Authentication Method Details to view FIDO2 key registrations and see the AAGUID of each key.
   • Ensure that only allowed models are registering successfully.

Step 7.3: Confirm Conditional Access Policies

1. Ensure Conditional Access Is Applied:
   • Verify that the Passwordless authentication requirement is enforced by your Conditional Access policies.
   • Test different users and roles to ensure the policies are applied as expected based on user group memberships.
2. Test MFA:
   • If you have multi-factor authentication (MFA) configured, confirm that FIDO2 authentication fulfills MFA requirements for users who are subject to those policies.

Support and Troubleshooting

While rolling out passwordless authentication with FIDO2 security keys, some common support and troubleshooting scenarios may arise. This section provides guidance on how to address these issues.

Common Support Scenarios

1. User Loses a FIDO2 Key:
   • Scenario: A user loses their registered FIDO2 key and cannot log in.
   • Solution: Issue a Temporary Access Pass (TAP) to the user, allowing them to regain access and register a new FIDO2 key. Encourage users to register multiple backup keys or use other passwordless options like Windows Hello.
2. Unauthorized FIDO2 Key Attempt:
   • Scenario: A user tries to register a FIDO2 key that is not on the approved list.
   • Solution: Verify the key’s AAGUID and inform the user to use an approved key model. If they are using an unauthorized key, block the registration and assist them in getting a supported FIDO2 key.
3. Failure to Authenticate Using FIDO2 Key:
   • Scenario: The user’s key isn’t working during authentication.
   • Solution: Ensure that the key is registered correctly, check if it is supported (AAGUID), and confirm that the latest device firmware is installed. Have the user test on multiple devices and try re-registering the key if necessary.
4. Windows Hello Biometric Issues:
   • Scenario: Biometric authentication (fingerprint or face recognition) isn’t working for the user.
   • Solution: Ensure that Windows Hello for Business is enabled in Intune. The user should reconfigure their biometric data (fingerprint/face) in the Windows settings.

Troubleshooting Tips

1. Check Device Compatibility:
   • Ensure that the devices have TPM 2.0 and that the correct version of Windows (10 v1903 or later) is installed.
2. Check Network Connectivity:
   • Verify that the device can connect to the internet for initial login. If offline, ensure that the device has cached the FIDO2 credentials to allow offline login.
3. Conditional Access Policy Issues:
   • If users are unexpectedly blocked from signing in, review Conditional Access policies to ensure there are no conflicts with passwordless authentication or security settings.
4. Monitor Sign-In Logs:
   • Use the Sign-In Logs in the Entra Admin Center to trace FIDO2 key authentication events. This can help identify why a user might be having issues during login.
5. Firmware Updates for FIDO2 Keys:
   • Ensure that the FIDO2 keys are updated to the latest firmware. Some keys may not function correctly with outdated firmware.

Onboarding Users to FIDO2 Passwordless Authentication

Step 1: User Communication and Training

1. Notify Users:
   • Inform users about the upcoming transition to passwordless authentication and its benefits, including security improvements and easier logins.
2. Provide Training:
   • Share user guides and conduct training sessions on how to use FIDO2 security keys, register them in My Security Info, and perform everyday tasks with passwordless logins.

Step 2: Enroll Users via Temporary Access Pass (TAP)

1. Generate TAP:
   • Use TAP to allow users to access their accounts and register their FIDO2 key if they are logging in for the first time or recovering access.
2. Distribute TAP:
   • Provide users with their TAP and instructions for signing in at https://mysignins.microsoft.com/security-info to set up their FIDO2 keys.
3. Register Backup Methods:
   • Encourage users to register backup authentication methods like Windows Hello or multiple FIDO2 keys to ensure access in case one method is lost or fails.

Offboarding Users from FIDO2 Authentication

When a user leaves the organization, it's important to revoke their access to ensure they no longer have access to corporate systems.

Step 1: Disable FIDO2 Key Access

1. Remove FIDO2 Key from User's Account:
   • Go to Users -> Select the user -> Authentication methods in the Entra Admin Center.
   • Remove the FIDO2 key(s) registered to the user.
2. Revoke Temporary Access Pass (TAP):
   • If a TAP was issued to the user, disable or revoke it under their Authentication Methods settings.

Step 2: Revoke User Sessions and Update Policies

1. Revoke User Sign-In Sessions:
   • Under User Sign-Ins, select Revoke Sign-In Sessions to immediately log the user out of any active sessions.
2. Update Conditional Access:
   • Ensure the user is removed from any security groups tied to Conditional Access policies that allow FIDO2 authentication.

Step 3: Remove Devices from Intune

1. Unenroll Devices:
   • If the user had any corporate devices, use Intune to unenroll the devices and wipe any corporate data from them.
2. Wipe Corporate Data:
   • If needed, use Intune to initiate a remote wipe for devices that the user no longer has authorized access to.

Conclusion

Transitioning to passwordless authentication with FIDO2 security keys in a Microsoft Modern Cloud environment is a highly secure and user-friendly solution that reduces the risks associated with traditional passwords. By providing users with clear onboarding instructions, utilizing Temporary Access Pass (TAP) for initial setup, restricting FIDO2 keys to specific models, and enforcing strong Conditional Access policies, your organization can successfully implement and manage passwordless security across your Windows 10 and 11 devices.

Proper support mechanisms, such as detailed troubleshooting tips, user training, and efficient offboarding processes, ensure a smooth and secure experience for both administrators and users.