Support for FIDO2 authentication with Microsoft Entra ID
Microsoft Entra ID allows passkeys to be used for passwordless authentication. This article covers which native applications, web browsers, and operating systems support passwordless authentication using passkeys with Microsoft Entra ID.
Note
Microsoft Entra ID currently supports device-bound passkeys stored on FIDO2 security keys and in Microsoft Authenticator. Microsoft is committed to securing customers and users with passkeys. We are investing in both synced and device-bound passkeys for work accounts.
Native application support
The following sections cover support for Microsoft and third-party applications. Passkey (FIDO2) authentication with a third-party Identity Provider (IDP) isn't supported in third-party applications using authentication broker, or Microsoft applications on macOS, iOS, or Android at this time.
Native application support with authentication broker (preview)
Microsoft applications provide native support for FIDO2 authentication in preview for all users who have an authentication broker installed for their operating system. FIDO2 authentication is also supported in preview for third-party applications using the authentication broker.
The following tables lists which authentication brokers are supported for different operating systems.
OS | Authentication broker | Supports FIDO2 |
---|---|---|
iOS | Microsoft Authenticator | ✅ |
macOS | Microsoft Intune Company Portal 1 | ✅ |
Android2 | Authenticator or Company Portal | ❌ |
1On macOS, the Microsoft Enterprise Single Sign On (SSO) plug-in is required to enable Company Portal as an authentication broker. Devices that run macOS must meet SSO plug-in requirements, including enrollment in mobile device management. For FIDO2 authentication, make sure that you run the latest version of native applications.
2Native application support for FIDO2 on Android is in development.
If a user installed an authentication broker, they can choose to sign in with a security key when they access an application such as Outlook. They're redirected to sign in with FIDO2, and redirected back to Outlook as a signed in user after successful authentication.
Microsoft application support without authentication broker (preview)
The following table lists Microsoft application support for passkey (FIDO2) without an authentication broker.
Application | macOS | iOS | Android |
---|---|---|---|
Remote Desktop | ✅ | ✅ | ❌ |
Third-party application support without authentication broker
If the user has yet to install an authentication broker, they can still sign in with a passkey when they access MSAL-enabled applications. For more information about requirements for MSAL-enabled applications, see Support passwordless authentication with FIDO2 keys in apps you develop.
Web browser support
This table shows browser support for authenticating Microsoft Entra ID and Microsoft accounts by using FIDO2. Consumers create Microsoft accounts for services such as Xbox, Skype, or Outlook.com.
OS | Chrome | Edge | Firefox | Safari |
---|---|---|---|---|
Windows | ✅ | ✅ | ✅ | N/A |
macOS | ✅ | ✅ | ✅ | ✅ |
ChromeOS | ✅ | N/A | N/A | N/A |
Linux | ✅ | ❌ | ❌ | N/A |
iOS | ✅ | ✅ | ✅ | ✅ |
Android | ✅ | ✅ | ❌ | N/A |
Note
Passkeys in Authenticator don't work with browsers like Google Chrome or Microsoft Edge on Android devices. Support to create and sign in using Authenticator passkeys from browsers depends upon API updates to be made available by the Android platform.
Web browser support for each platform
The following tables show which transports are supported for each platform. Supported device types include USB, near-field communication (NFC), and bluetooth low energy (BLE).
Windows
Browser | USB | NFC | BLE |
---|---|---|---|
Edge | ✅ | ✅ | ✅ |
Chrome | ✅ | ✅ | ✅ |
Firefox | ✅ | ✅ | ✅ |
Minimum browser version
The following are the minimum browser version requirements on Windows.
Browser | Minimum version |
---|---|
Chrome | 76 |
Edge | Windows 10 version 19031 |
Firefox | 66 |
1All versions of the new Chromium-based Microsoft Edge support FIDO2. Support on Microsoft Edge legacy was added in 1903.
macOS
Browser | USB | NFC1 | BLE1 |
---|---|---|---|
Edge | ✅ | N/A | N/A |
Chrome | ✅ | N/A | N/A |
Firefox2 | ✅ | N/A | N/A |
Safari2,3 | ✅ | N/A | N/A |
1NFC and BLE security keys aren't supported on macOS by Apple.
2New security key registration doesn't work on these macOS browsers because they don't prompt to set up biometrics or PIN.
3See Sign in when more than three passkeys are registered.
ChromeOS
Browser1 | USB | NFC | BLE |
---|---|---|---|
Chrome | ✅ | ❌ | ❌ |
1Security key registration isn't supported on ChromeOS or Chrome browser.
Linux
Browser | USB | NFC | BLE |
---|---|---|---|
Edge | ❌ | ❌ | ❌ |
Chrome | ✅ | ❌ | ❌ |
Firefox | ❌ | ❌ | ❌ |
iOS
Browser1,3 | Lightning | NFC | BLE2 |
---|---|---|---|
Edge | ✅ | ✅ | N/A |
Chrome | ✅ | ✅ | N/A |
Firefox | ✅ | ✅ | N/A |
Safari | ✅ | ✅ | N/A |
1New security key registration doesn't work on iOS browsers because they don't prompt to set up biometrics or PIN.
2BLE security keys aren't supported on iOS by Apple.
3See Sign in when more than three passkeys are registered.
Android
Browser1 | USB | NFC | BLE2 |
---|---|---|---|
Edge | ✅ | ❌ | ❌ |
Chrome | ✅ | ❌ | ❌ |
Firefox | ❌ | ❌ | ❌ |
1Security key registration with Microsoft Entra ID isn't yet supported on Android.
2BLE security keys aren't supported on Android by Google.
Known issues
Sign in when more than three passkeys are registered
If you registered more than three passkeys, sign in with a passkey might not work. If you have more than three passkeys, as a workaround, click Sign-in options and sign in without entering a username.
PowerShell support
Microsoft Graph PowerShell supports FIDO2. Some PowerShell modules that use Internet Explorer instead of Edge aren't capable of performing FIDO2 authentication. For example, PowerShell modules for SharePoint Online or Teams, or any PowerShell scripts that require admin credentials, don't prompt for FIDO2.
As a workaround, most vendors can put certificates on the FIDO2 security keys. Certificate-based authentication (CBA) works in all browsers. If you can enable CBA for those admin accounts, you can require CBA instead of FIDO2 in the interim.