Support for FIDO2 authentication with Microsoft Entra ID

Microsoft Entra ID allows passkeys to be used for passwordless authentication. This article covers which native applications, web browsers, and operating systems support passwordless authentication using passkeys with Microsoft Entra ID.

Note

Microsoft Entra ID currently supports device-bound passkeys stored on FIDO2 security keys and in Microsoft Authenticator. Microsoft is committed to securing customers and users with passkeys. We are investing in both synced and device-bound passkeys for work accounts.

Native application support

The following sections cover support for Microsoft and third-party applications. Passkey (FIDO2) authentication with a third-party Identity Provider (IDP) isn't supported in third-party applications using authentication broker, or Microsoft applications on macOS, iOS, or Android at this time.

Native application support with authentication broker (preview)

Microsoft applications provide native support for FIDO2 authentication in preview for all users who have an authentication broker installed for their operating system. FIDO2 authentication is also supported in preview for third-party applications using the authentication broker.

The following tables lists which authentication brokers are supported for different operating systems.

OS Authentication broker Supports FIDO2
iOS Microsoft Authenticator
macOS Microsoft Intune Company Portal 1
Android2 Authenticator or Company Portal

1On macOS, the Microsoft Enterprise Single Sign On (SSO) plug-in is required to enable Company Portal as an authentication broker. Devices that run macOS must meet SSO plug-in requirements, including enrollment in mobile device management. For FIDO2 authentication, make sure that you run the latest version of native applications.

2Native application support for FIDO2 on Android is in development.

If a user installed an authentication broker, they can choose to sign in with a security key when they access an application such as Outlook. They're redirected to sign in with FIDO2, and redirected back to Outlook as a signed in user after successful authentication.

Microsoft application support without authentication broker (preview)

The following table lists Microsoft application support for passkey (FIDO2) without an authentication broker.

Application macOS iOS Android
Remote Desktop

Third-party application support without authentication broker

If the user has yet to install an authentication broker, they can still sign in with a passkey when they access MSAL-enabled applications. For more information about requirements for MSAL-enabled applications, see Support passwordless authentication with FIDO2 keys in apps you develop.

Web browser support

This table shows browser support for authenticating Microsoft Entra ID and Microsoft accounts by using FIDO2. Consumers create Microsoft accounts for services such as Xbox, Skype, or Outlook.com.

OS Chrome Edge Firefox Safari
Windows N/A
macOS
ChromeOS N/A N/A N/A
Linux N/A
iOS
Android N/A

Note

Passkeys in Authenticator don't work with browsers like Google Chrome or Microsoft Edge on Android devices. Support to create and sign in using Authenticator passkeys from browsers depends upon API updates to be made available by the Android platform.

Web browser support for each platform

The following tables show which transports are supported for each platform. Supported device types include USB, near-field communication (NFC), and bluetooth low energy (BLE).

Windows

Browser USB NFC BLE
Edge
Chrome
Firefox

Minimum browser version

The following are the minimum browser version requirements on Windows.

Browser Minimum version
Chrome 76
Edge Windows 10 version 19031
Firefox 66

1All versions of the new Chromium-based Microsoft Edge support FIDO2. Support on Microsoft Edge legacy was added in 1903.

macOS

Browser USB NFC1 BLE1
Edge N/A N/A
Chrome N/A N/A
Firefox2 N/A N/A
Safari2 N/A N/A

1NFC and BLE security keys aren't supported on macOS by Apple.

2New security key registration doesn't work on these macOS browsers because they don't prompt to set up biometrics or PIN.

ChromeOS

Browser1 USB NFC BLE
Chrome

1Security key registration isn't supported on ChromeOS or Chrome browser.

Linux

Browser USB NFC BLE
Edge
Chrome
Firefox

iOS

Browser1 Lightning NFC BLE2
Edge N/A
Chrome N/A
Firefox N/A
Safari N/A

1New security key registration doesn't work on iOS browsers because they don't prompt to set up biometrics or PIN.

2BLE security keys aren't supported on iOS by Apple.

Android

Browser1 USB NFC BLE2
Edge
Chrome
Firefox

1Security key registration with Microsoft Entra ID isn't yet supported on Android.

2BLE security keys aren't supported on Android by Google.

Known issues

PowerShell support

Microsoft Graph PowerShell supports FIDO2. Some PowerShell modules that use Internet Explorer instead of Edge aren't capable of performing FIDO2 authentication. For example, PowerShell modules for SharePoint Online or Teams, or any PowerShell scripts that require admin credentials, don't prompt for FIDO2.

As a workaround, most vendors can put certificates on the FIDO2 security keys. Certificate-based authentication (CBA) works in all browsers. If you can enable CBA for those admin accounts, you can require CBA instead of FIDO2 in the interim.

Next steps

Enable passwordless security key sign-in