Passkey (Entra) Not working on Lockscreen but works on Web API

Question

Passkey (Entra) Not working on Lockscreen but works on Web API

chandra 40

Hi

We have built a custom FIDO2 passkey to be used with EntraID.

The passkey works with Windows Hello (Personal Account), Microsoft Web Auth but on Windows Pro Lockscreen, the security key fails with the following reason "You cannot sign in with this account. Try a different account". We are not sure what the error is (If any).

Could you help us point direction or give pointers on how to debug the same.

vlcsnap-2025-08-12-16h49m45s889.png

vlcsnap-2025-11-17-12h15m06s629.png

vlcsnap-2025-11-17-12h15m01s107.png

Thanks

Chandra

Answer accepted by question author

4 additional answers

Your answer

Answer 1

VPHAN 17,970 Independent Advisor

Hi chandra,

The failure is specific to your custom FIDO2 key's AAGUID not being recognized by Windows as a trusted authenticator for primary authentication, even though it passes web registration. The Yubikey works because its AAGUID is pre-trusted by Entra ID.

Check the AAGUID of your custom key in the Entra ID Authentication Methods activity logs. Filter for sign-in attempts with cFIDO; if the AAGUID is listed as "noncompliant" or lacks a "fido2SecurityKey" attestation type, Windows logon will reject it. You must add the custom AAGUID to the tenant's trusted FIDO2 security key list via Entra ID > Protection > Authentication methods > Policies > FIDO2 Security Key > Configure. If the AAGUID is not whitelisted, device logon fails.

Ensure the key is registered under the user's security info as a "FIDO2 security key" and not a "passkey." Passkeys bound to Microsoft accounts are invalid for Entra join. Use PowerShell with the MSOnline module to verify the registration type: Get-MsolUser -UserPrincipalName <user> | Select-Object -ExpandProperty StrongAuthenticationMethods should show "FIDO2SecurityKey" for both keys.

If the AAGUID is trusted and registration correct, the issue may be in the key's firmware or attestation certificate. Windows requires valid FIDO2 certification for lock screen use. Test cFIDO on another Entra-joined device to isolate the fault.

I hope you are clear with the information, and it's really appreciated of you to accept the answer to help build the community by sharing your experience with the issue. Thanks!

Vivian

chandra 40 Reputation points

2025-11-18T08:06:39.9066667+00:00

Thanks. will look into the auth logs and this msg entirely
chandra 40 Reputation points

2025-11-19T13:55:36.0166667+00:00

Hi @Vivian Phan
Here are a few screenshots of the settings. For the time being, we have disabled MFA for myself (particular user) to test the above.

AAGUID (NO restrictions, allow all)

aaguid_entra_pic.png

Lockscreen activity Logs for the user do not show up at all (regardless of cFIDO or yFIDO)

Connect-MsolService (failed) but Connect-AzureAD (passed with MFA off)

connectAzureAD_pic.png
connectMsolService_pic.png

Kindly let know next steps

Thanks

Chandra
VPHAN 17,970 Reputation points Independent Advisor

2025-11-19T15:58:55.9966667+00:00

Hi Chandra, from the images, the lockscreen error happens because Windows blocks the custom FIDO2 key before it reaches Entra ID authentication, evident from the absent activity logs. This means a local device or policy issue specific to your custom key's configuration.

Since the Yubikey works, the tenant-level FIDO2 settings and PRT are functional. The custom key's AAGUID may not be fully trusted by Windows for device logon, despite being allowed in Entra ID. "Allow all" in FIDO2 policies doesn't override Windows' internal trust list for primary authentication. Verify the custom AAGUID is explicitly listed in Entra ID's FIDO2 security key policy under Authentication Methods. If it is missing, add it directly.

The Connect-MsolService failure is due to deprecated authentication protocols; use Microsoft Graph PowerShell with Get-MgUserAuthenticationMethod to check if the custom key is registered as a "FIDO2 security key" and not a "passkey." Passkeys are invalid for Entra join.

Test the custom key on another Entra-joined device to confirm if the issue is device-specific. If it fails elsewhere, the key's attestation certificate may lack Windows compatibility.
chandra 40 Reputation points

2025-11-21T09:33:22.07+00:00
Hi @Vivian Phan
Here are few more insights.

For cFIDO built by ourselves, we have logging enabled and the provision to change the AAGUID. So we changed the AAGUID to the yubikey that we have. Still same error.

On the logs, we see the interaction b/w cFIDO and Microsoft challenge (lockscreen) continue till the following command (ctapCommandClientPin -> ctapCommandClientPinRetries). At this command/subcommand, we respond with 0x08 as the retries in CBOR (0xa1, 0x3, 0x8) [json equiv of {"3":8}]. This is ideal as pinRetries is typically 8 for most scenarios.

We compare lockscreen logs with Web API logs(which passes), the response is same but after the above command, we move into ctapCommandClinetPin -> ctapCommandClientPinToken and/ ctapCommandClientPinKeyAgreement). It seems in the lockscreen version either the communication is cut or Microsoft receives an unexpected answer.

(Failed) output of Get-MgUserAuthenticationMethod shortly.

userAuthStatusFailed.jpg

cFIDO_AAGUID_refactored.png

Kindly guide us further.
chandra 40 Reputation points

2025-11-24T06:27:42.1133333+00:00

Hi @Vivian Phan

Any more suggestions or recommendations for us to try out ?

Thanks

Chandra

Answer 2

Good morning chandra,

Regarding your issue, here is a fairly comprehensive explanation, and I hope you'd spend some time reading it.

My analysis shows that the rejection is not coming from the key. Wins is refusing the account before the FIDO2 ceremony even matters. The lock screen only accepts sign-in methods that are already registered in Entra ID as valid Primary Authentication for that specific user and for that specific device join state. The notice "You cannot sign in with this account" means the account is not eligible for FIDO2 login at the OS level.

You need to confirm the account is Entra ID-joined and not a personal Microsoft account. A custom FIDO2 authenticator will pass WebAuthn tests, but Windows uses the Azure AD Primary Refresh Token flow. If you don't have a valid PRT bound to the device, Windows blocks FIDO2 at the lock screen.

Also, validate that the tenant has FIDO2 security key authentication enabled at the tenant level and allowed for the user. If the policy is enabled only for browser sign-in or Conditional Access MFA, Windows treats the authenticator as unsupported for primary sign-in even though it works through web flows.

Ensure the AAGUID of your custom key is trusted by Entra ID. If the AAGUID is unknown, registration will appear to succeed, but Windows logon will deny it because the platform cannot map it to a supported authenticator model. Use the Entra ID Authentication Methods activity logs to verify that the AAGUID is recognized; unknown AAGUIDs show up as “noncompliant” even though browsers accept them.

Finally, check that the key is registered as a FIDO2 credential under the user’s Entra ID profile, not as a passkey synced to a Microsoft Account. Windows Hello on the login screen will not use MSA-bound passkeys for domain or Entra sign-in.

Once the PRT state, tenant FIDO2 enablement, and AAGUID recognition align, the lock-screen prompt accepts the key and the error disappears.

I hope you are clear with the information. Should you have any more questions, feel free to leave a message. It's really appreciated of you to accept the answer to help build the community by sharing your experience with the issue. Thanks!

Answer 3

VPHAN 17,970 Independent Advisor

Good morning,

Have you found the answer useful? If everything is okay, don't forget to share your experience with the issue by accepting the answer. Should you need more information, free free to leave a message. Happy to help! :)

Vivian

Muhammad Faisal 0 Reputation points

2025-11-18T08:26:59.2233333+00:00

Have you found the answer useful? If everything is okay, don't forget to share your experience with the issue by accepting the answer.

Answer 4

Hi @vivian Phan

Thank you for the above note.

In addition to our custom FIDO2 key (lets call cFIDO), we also have a Yubikey(lets call yFIDO) as a standard check. Surprisingly yFIDO works on the lockscreen but cFIDO alone fails. So we are not entirely sure it is OS itself and not cFIDO but yes, we will start looking at it too.

Notes from above:

(PRT) Azure AD Primary Refresh Token
(Conditional Access Policy) Validate that the tenant has FIDO2 security key authentication enabled at the tenant level and allowed for the user
(AAGUID) Ensure the AAGUID of your custom key is trusted by Entra ID
check that the key is registered as a FIDO2 credential under the user’s Entra ID profile

Here are our comments

PRT need to recheck
yFIDO works, so we know this is set correctly
AAGUID is set correctly as at the time of registration it accepts the passkey
we register here https://mysignins.microsoft.com/security-info . same for yFIDO which works

Tentatively we have accepted your answer as requested.

Thanks

Chandra

Answer 5

Deleted

This answer has been deleted due to a violation of our Code of Conduct. The answer was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.

Comments have been turned off. Learn more

Share via

Passkey (Entra) Not working on Lockscreen but works on Web API

4 additional answers

Your answer