I added my new security key to my MS Account in an enterprise setup of Hybrid joined AAD (Entra ID) and I am able to login using the Security key into microsoft applications but not onto my device.

Perumallapally, John Austeen 40 Reputation points
2024-09-04T18:49:23.7266667+00:00

Hello there,

I registered my new Yubico 5c Security key into my Microsoft account, which is working fine to logon to many MS resources. My MS account is on Hybrid-joined AD (Entra ID). I am unable to use Security key to logon to my windows 11 device with security key. I tweaked some CA policies and authentication strengths to test this Security key on my account but I had no luck in logging into my Device.

I got one more question, In our organization, most of the devices are added to the AD domain by help desk team and may be because of that, the primary user UPN is help desk user's email. How do I change that in bulk or what is the best solution to this issue.

Thank you

Windows 11
Windows 11
A Microsoft operating system designed for productivity, creativity, and ease of use.
9,860 questions
Microsoft Intune Security
Microsoft Intune Security
Microsoft Intune: A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
430 questions
Microsoft Intune Enrollment
Microsoft Intune Enrollment
Microsoft Intune: A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.Enrollment: The process of requesting, receiving, and installing a certificate.
1,372 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
22,062 questions
{count} votes

Accepted answer
  1. Neuvi Jiang 1,450 Reputation points Microsoft Vendor
    2024-09-05T08:13:55.8166667+00:00

    Hi Perumallapally, John Austeen,

    Thank you for posting in the Q&A Forums.

    Comments Off on Yubico 5c security key to log in to Windows 11 devices

    Confirm Windows 11 support:

    First, make sure your Windows 11 device supports logging in with a security key.Windows 11 natively supports FIDO2 security keys, but you may need to make sure your device has been updated to the latest version of Windows that supports this feature.

    Check the security key configuration:

    Ensure that the Yubico 5c security key has been properly registered to your Microsoft account and that the necessary settings have been made as required by Microsoft.

    Check AD and Azure AD configuration:

    Since your account sits on an AD (Entra ID) that has been added to the mix, check that Azure AD Connect or your identity synchronization solution is properly configured to support the security key. This may require administrator privileges to view and modify the relevant settings.

    Check group policies and local policies:

    Check if any group policies or local security policies prevent logging in with a security key. These policies may restrict certain users or devices from using the security key.

    Check the event log:

    Check the relevant entries in the Windows event logs, especially those related to security, logon, and authentication, for more detailed information about logon failures.

    Contact Support:

    If none of the above steps resolves the issue, it is recommended to contact Microsoft Support or your IT support team for more specialized assistance.

    About bulk changes to device UPNs in AD domains

    Assess the need:

    Before making any bulk changes, make sure you fully understand the impact of changing the UPN and assess whether this is the best way to resolve the issue.

    Use PowerShell scripts:

    You can use PowerShell scripts to make bulk changes to the UPNs of devices in an AD domain. this typically involves querying AD for a list of devices that need to be changed and then updating their UPNs with the appropriate commands.

    Consider using a third-party tool:

    There are also third-party tools on the market that can help you manage devices in an AD domain in bulk, including changing UPNs. these tools may offer a more user-friendly interface and more robust features.

    Develop a rollback plan:

    Before making bulk changes, make sure you have a detailed rollback plan in place so that you can recover quickly if something goes wrong.

    Execute changes and validate:

    After executing bulk changes, be sure to verify that the changes were made as expected and check for any unintended side effects.

    Notify users:

    If the change affects user logins or other aspects, make sure that users are notified in a timely manner and provided with the necessary support and guidance.

    Best regards

    NeuviJ

    ============================================

    If the Answer is helpful, please click "Accept Answer" and upvote it.

    1 person found this answer helpful.

0 additional answers

Sort by: Most helpful

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.