![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(236.8, 57.00000000000001%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EYS%3C/text%3E%3C/svg%3E)
Microsoft Configuration Manager
An integrated solution for for managing large groups of personal computers and servers.
4,233 questions
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(214.4, 81%, 30%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMT%3C/text%3E%3C/svg%3E)
Hi @Y.S .
Thanks for your post! The "Add authentication method" section is not where you add the FIDO2 option for the users and you can only remove the FIDO2 key in the Authentication Methods section. Note that when you have enabled FIDO2 authentication in the Azure Portal, you need to ensure that Allow self-service set up is set to Yes.
The end user (who needs to have already registered for MFA) needs to go to aka.ms/mysecurityinfo, sign in, go to Security info, and insert their FIDO2 key to enable the authentication under "+Add sign-in method." Once the user has done this, the FIDO2 key will show up under their authentication methods.
Note that if you need to enable the use of security keys with Intune, you need to go to Devices > Enroll Devices > Windows enrollment > Windows Hello for Business and set Use security keys for sign-in to Enabled.
You can also set up a configuration profile in Microsoft Endpoint Management at endpoint.microsoft.com. There you would go to Devices > All devices > Configuration profiles > Create profile.
In the profile, select the platform (i.e. Windows 10 or later), select the Profile type (i.e. Templates > Identity Protection) > Add a name (Enable FIDO2 login), and under "Use security keys for sign-in" select "Enable."
Then you would assign the configuration to the applicable group where you want the policy to apply.
There are some good walk-through videos on YouTube for this process.
https://www.youtube.com/watch?v=GfKeiKA8aEo
https://www.youtube.com/watch?v=baVTd38hMEE
Let me know if this helps and if you run into any issues. I'm happy to discuss this further if the method still does not show up after the end user has added it and you have confirmed their MFA registration status.
If the information helped you, please Accept the answer. This will help us as well as others in the community who may be researching similar information.