question

James-2503 avatar image
0 Votes"
James-2503 asked James-2503 commented

Error adding Yubikey to Security Info



Hi, I am following the Ms docs for going passwordless however, when I add my Security Key (add method) on the myprofile page I get the error below after naming it


We detected that this particular key type has been blocked by your organization. Contact your administrator for more details and try registering a different type of key.

Any ideas?

azure-active-directory
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

PavelOtych avatar image
0 Votes"
PavelOtych answered James-2503 commented

Hi, I suggest you check Authentication Methods in Azure and have a look at Key Restriction Policy -> "Enforce key restrictions" should be se to "No" unless you're limiting usage to specific keys.

What kind of Yubikey are using? If it's an older model you can try to disable "Enforce attestation" if the above doesn't help. This disables the requirement for trusted certificate usage and will allow self-signed certificate of the key itself.

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Turning off the Enforce Attestation got it working. They are new keys but obviously it doesn't like it Yubikey 5 NFC.

0 Votes 0 ·
RendyLaurens-3979 avatar image
0 Votes"
RendyLaurens-3979 answered James-2503 commented

I have add the AAGUID in Azure.

Go to authentication methods - Authentication method policy

Azure AD - Security - authentication methods.
Go to FIDO2 Security Key.

Enforce attestation
YES

And

Restrict specific keys
ALLOW



And for the AAGUID check this website
https://support.yubico.com/support/solutions/articles/15000028710-yubikey-hardware-fido2-aaguids












· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

I tried that the only way I got it working was to turn off the "Enforce Attestation"

Thanks

0 Votes 0 ·