Enable passkeys in Microsoft Authenticator (preview)

This article lists steps to enable and enforce use of passkeys in Authenticator for Microsoft Entra ID. First, you update the Authentication methods policy to allow end users to register and sign in with passkeys in Authenticator. Then you can use Conditional Access authentication strengths policies to enforce passkey sign-in when users access a sensitive resource.

Requirements

  • Microsoft Entra multifactor authentication (MFA)
  • Android 14 and later or iOS 17 and later
  • An active internet connection on any device that is part of the passkey registration/authentication process
  • For cross-device registration/authentication, both devices must have Bluetooth enabled

Note

Users need to install the latest version of Authenticator for Android or iOS to use a passkey.

To learn more about where you can use passkeys in Authenticator to sign in, see Support for FIDO2 authentication with Microsoft Entra ID.

Enable passkeys in Authenticator in the admin center

An Authentication Policy Administrator needs to consent to allow Authenticator in the Passkey (FIDO2) settings of the Authentication methods policy. They need to explicitly allow the Authenticator Attestation GUIDs (AAGUIDs) for Microsoft Authenticator to enable users to register passkeys in the Authenticator app. There's no setting to enable passkeys in the Microsoft Authenticator app section of the Authentication Methods policy.

  1. Sign in to the Microsoft Entra admin center as at least an Authentication Policy Administrator.

  2. Browse to Protection > Authentication methods > Authentication method policy.

  3. Under the method Passkey (FIDO2), select All users or Add groups to select specific groups. Only security groups are supported.

  4. On the Configure tab:

    • Set Allow self-service set up to Yes. If set to No, users can't register a passkey by using Security info, even if passkeys (FIDO2) are enabled by the Authentication methods policy.

    • Set Enforce attestation to No for preview. Attestation support is planned for General Availability.

    • Key restrictions set the usability of specific passkeys for both registration and authentication. Set Enforce key restrictions to Yes to only allow or block certain passkeys, which are identified by their AAGUIDs.

      This setting must be Yes and you need to add the Microsoft Authenticator AAGUIDs to allow users to register passkeys in the Authenticator, either by signing into the Authenticator app, or by adding Passkey in Microsoft Authenticator from their Security info.

      Security info requires this setting to be set to Yes for users to be able to choose Passkey in Authenticator and go through a dedicated Authenticator passkey registration flow. If you choose No, users may still be able to add a passkey in Microsoft Authenticator by choosing the Passkey method, depending upon their operating system and browser. However, we do not expect this avenue to be discoverable and used by most users.

      If your organization doesn't currently enforce key restrictions and already has active passkey usage, you should collect the AAGUIDs of the keys being used today. Add them to the Allow list, along with the Authenticator AAGUIDs, to enable this preview. This task can be done with an automated script that analyzes logs, such as registration details and sign-in logs.

      If you change key restrictions and remove an AAGUID that you previously allowed, users who previously registered an allowed method can no longer use it for sign-in.

    • Set Restrict specific keys to Allow.

    • Select Microsoft Authenticator (Preview) to automatically add the Authenticator app AAGUIDs to the key restriction list, or manually add the following AAGUIDs to allow users to register passkeys in the Authenticator by signing into the Authenticator app or by going through a guided flow on the Security info page:

      • Authenticator for Android: de1e552d-db1d-4423-a619-566b625cdc84
      • Authenticator for iOS: 90a3ccdf-635c-4729-a248-9b709135078f

      Note

      If you turn off key retrictions, make sure you clear the Microsoft Authenticator (Preview) checkbox so that users aren’t prompted to set up a passkey in the Authenticator app in Security info.

      Two more AAGUIDs may be listed. They are b6879edc-2a86-4bde-9c62-c1cac4a8f8e5 and 257fa02a-18f3-4e34-8174-95d454c2e9ad. These AAGUIDs appear in advance of an upcoming feature. You can remove them from the list of allowed AAGUIDs.

    Screenshot showing Microsoft Authenticator enabled for passkey.

  5. After you finish the configuration, select Save.

    Note

    If you see an error when you try to save, replace multiple groups with a single group in one operation, and then click Save again.

Enable passkeys in Authenticator using Graph Explorer

In addition to using the Microsoft Entra admin center, you can also enable passkeys in Authenticator by using Graph Explorer. Those assigned at least the Authentication Policy Administrator role can update the Authentication methods policy to allow the AAGUIDs for Authenticator.

To configure the policy by using Graph Explorer:

  1. Sign in to Graph Explorer and consent to the Policy.Read.All and Policy.ReadWrite.AuthenticationMethod permissions.

  2. Retrieve the Authentication methods policy:

    GET https://graph.microsoft.com/beta/authenticationMethodsPolicy/authenticationMethodConfigurations/FIDO2
    
  3. To disable attestation enforcement and enforce key restrictions to only allow AAGUIDs for Microsoft Authenticator, perform a PATCH operation using the following request body:

    PATCH https://graph.microsoft.com/beta/authenticationMethodsPolicy/authenticationMethodConfigurations/FIDO2
    
    Request Body:
    {
        "@odata.type": "#microsoft.graph.fido2AuthenticationMethodConfiguration",
        "isAttestationEnforced": false,
        "keyRestrictions": {
            "isEnforced": true,
            "enforcementType": "allow",
            "aaGuids": [
                "90a3ccdf-635c-4729-a248-9b709135078f",
                "de1e552d-db1d-4423-a619-566b625cdc84"
    
                <insert previous AAGUIDs here to keep them stored in policy>
            ]
        }
    }
    
  4. Make sure that the passkey (FIDO2) policy is updated properly.

    GET https://graph.microsoft.com/beta/authenticationMethodsPolicy/authenticationMethodConfigurations/FIDO2
    

Delete a passkey

To remove a passkey associated with a user account, delete the key from the user’s authentication methods.

  1. Sign in to the Microsoft Entra admin center and search for the user whose passkey needs to be removed.

  2. Select Authentication methods > right-click FIDO2 security key and select Delete.

    Screenshot of View Authentication Method details.

Note

Users also need to remove the passkey in Authenticator on their device.

Enforce sign-in with passkeys in Authenticator

To make users sign in with a passkey when they access a sensitive resource, use the built-in phishing-resistant authentication strength, or create a custom authentication strength by following these steps:

  1. Sign in to the Microsoft Entra admin center as a Conditional Access Administrator.

  2. Browse to Protection > Authentication methods > Authentication strengths.

  3. Select New authentication strength.

  4. Provide a descriptive Name for your new authentication strength.

  5. Optionally provide a Description.

  6. Select Passkeys (FIDO2) and then select Advanced options.

  7. Add AAGUIDs for passkeys in Authenticator:

    • Authenticator for Android: de1e552d-db1d-4423-a619-566b625cdc84
    • Authenticator for iOS: 90a3ccdf-635c-4729-a248-9b709135078f
  8. Choose Next and review the policy configuration.

Next steps

Support for passkey in Windows