Share via

User failed to register Fido

Yoann Gini 6 Reputation points
2022-12-22T12:50:41.837+00:00

Hello,

We are evaluating Azure AD as our main IDP for our customer in replace for Workspace ONE Access in our password less setups.

Our setups are mutli OS, which mean Hello for Business is not sufficient for us. We need Certificate Based Authentication and FIDO2, and Temporary Pass as fallback option.

We are working on a brand new tenant for a new customer with no history.

We have been able to use SCEPman and Azure AD to provide Certificate Based Authentication with success.

We configured a Conditional Access policy for all cloud apps with a custom Authentication Strength policy as shown:

273322-image.png

When the user reach https://aka.ms/mysecurityinfo and authenticate with a Temporary Pass, the user can start an enrollment of a new token and pass the whole FIDO2 enrollment flow with button touch, PIN confirmation, and finally the token name.

When the token name is set, the process fail with an error telling the user is not allowed to enroll this token.

And when I look at the audit log I just have a simple "User failed to register Fido" with no details.

My search on Google mention that it can be due to AAGuids restrictions, which we don't have.

273276-image.png

I've tried with and without the attestation requirements and the result is the same.

Any idea on what could block here? How can I get better error messages? Or how to fix that?

Thanks a lot

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,274 questions

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Nagappan Veerappan 651 Reputation points Microsoft Employee
    2022-12-27T16:57:38.133+00:00

    @Yoann Gini
    I have had weird issue similar in the past, is it ATKey hardware from AuthNtrend ?. I was able to isolate since I had two types of hardware keys (Yubikey and ATKey). Yubi key was working.

    It was only against ATKey and turning off "Attestation required: No" also doesn't make any difference. Then we figured it was firmware no longer supports storing the credentials as no error from server side (AAD) it was client key level. who fails to confirm back.

    If firmware doesn't support, you will run into these issues. We can't confirm without HAR file trace during the registration failure.

    However how do I resolve issues like this. Go to windows Store --> download specific hardware company app --> (i.e "ATKey for windows")
    --> plug your key in USB or Bluetooth to detect --> provide PIN to access key info --> you will see update available
    --> update frimware

    if nothing works open up case with Microsoft support along with below logs

    1. HAR trace --> https://learn.microsoft.com/azure/azure-portal/capture-browser-trace
    2. WebauthN events
      Event Viewer -> Applications and Services Logs -> Microsoft -> Windows -> WebAuthN -> Operational
    1 person found this answer helpful.