Cannot register Yubikey passkey name when saving name

Question

Cannot register Yubikey passkey name when saving name

Bjorn Wetzels 0

I'm configuring a break-glass admin account. When logging in into the account to set up the additional authentication method, the USB key pops up, I enter the passkey and am prompted to give the key a name. When I press save, the system throws an error "We've run into a problem" .

I've since then tried with Edge, Edge in Private mode, Firefox and Firefox in private mode. I changed the name from numeric to alphanumeric, to longer names.

I have configured two accounts with two different yubikeys. Both have the same issue. What am I doing wrong here?

2 answers

Your answer

Answer 1

Andy David - MVP 159.7K MVP Volunteer Moderator

Are you enforcing key restrictions in Entra? If so you will need to add these

https://learn.microsoft.com/en-us/entra/identity/authentication/how-to-enable-passkey-fido2

Enforce key restrictions should be set to Yes only if your organization wants to only allow or disallow certain security key models or passkey providers, which are identified by their AAGUID. You can work with your security key vendor to determine the AAGUID of the passkey. If the passkey is already registered, you can find the AAGUID by viewing the authentication method details of the passkey for the user.

Bjorn Wetzels 0 Reputation points

2025-12-17T07:42:11.0933333+00:00

Hi Andy,

I tried both methods. I registered the AAGUID for the Y5C series and when that did not work, I removed the check.
Andy David - MVP 159.7K Reputation points MVP Volunteer Moderator

2025-12-17T11:58:52.9266667+00:00

anything of interest in the sign in logs or audit logs for your account when it fails?
Bjorn Wetzels 0 Reputation points

2025-12-17T13:07:53.6666667+00:00
Not really - it times out and sends a message to the audit log:

Activity Type User registered security info

Correlation ID 1cd9384e-6189-402b-b4d1-7b898c8ff73c

Category UserManagement

Status clientError

Status reason User failed to register Fido

I get this same error when trying a different type of FIDO key. It also halts at the same stage when registering the nameSadly, I cannot raise a support request as I do not have premium entra support.

The other interesting bit: when I open the developer console checking live requests, it throws an error right when saving the key name:

POST

https://mysignins.microsoft.com/api/authenticationmethods/verify Status 400 Bad Request

Answer 2

Andy David - MVP 159.7K MVP Volunteer Moderator

and everything is set up correctly and you meet the requirements?

https://learn.microsoft.com/en-us/entra/identity/authentication/how-to-enable-passkey-fido2#requirements

User's image

Bjorn Wetzels 0 Reputation points

2025-12-18T06:29:46.91+00:00
I think so. Laptops are brand new running Windows 11 Business, 24H2.

Keys used are YubiKey 5C NFC

All users have 365 Business Premium

Entra ID Premium P1

Actions taken (no delay) for respective user

I revoked any MFA sessions and set for re-register.

Authentication methods now says

Enabled No system preferred MFA method

Reset password

Logged out and closed browser

logged in to https://mysignins.microsoft.com/security-info

Used "another account" just to be sure

Logged in

Changed password to new password

"Stay Signed in" -> Yes

(no MFA prompt)

Opened up Security info. Only authentication here is Password.

+Add sign-in Method

Security Key (USB)

"To set up a security key, you need to sign in with two-factor authentication."

"Let's keep your account secure"

Set up authenticator, Scan QR code

Log in with prompt

"Authenticator added" -> Done

Set up Phone

Received code and entered

"Phone number added" -> Done

Add Device

Security key -> "Have your device ready"

Error: "We couldn't verify your identity or you are using private mode. Please ensure you are not in a private browsing window and please try again."

Note: no MFA prompt sent and no private mode used.

At this point I enrolled a new laptop and logged in with a new user (not with the BGA).

Deleted any MFA sessions for the BGA

logged into https://mysignins.microsoft.com/security-info

Choose where to save this passkey -> passkey

Insert into port

passkey saved " You can now use the key to log in"

Name the key -enter key name

"Sorry - we ran into a problem ".

Opened up developer tools and checked DOM console:

"main.be07485f.js:2 POST https://mysignins.microsoft.com/api/authenticationmethods/verify 400 (Bad Request)"

Share via

Cannot register Yubikey passkey name when saving name

2 answers

Your answer