Enable passkeys in Microsoft Authenticator (preview)
This article lists steps to enable and enforce use of passkeys in Authenticator for Microsoft Entra ID. First, you update the Authentication methods policy to allow end users to register and sign in with passkeys in Authenticator. Then you can use Conditional Access authentication strengths policies to enforce passkey sign-in when users access a sensitive resource.
Requirements
- Microsoft Entra multifactor authentication (MFA)
- Android 14 and later or iOS 17 and later
- An active internet connection on any device that is part of the passkey registration/authentication process
- For cross-device registration/authentication, both devices must have Bluetooth enabled
Note
Users need to install the latest version of Authenticator for Android or iOS to use a passkey.
To learn more about where you can use passkeys in Authenticator to sign in, see Support for FIDO2 authentication with Microsoft Entra ID.
Enable passkeys in Authenticator in the admin center
The Microsoft Authenticator policy doesn't give you the option to enable passkeys in Authenticator. Instead, to enable passkeys in Authenticator, you must edit the FIDO2 security key Authentication methods policy.
Sign in to the Microsoft Entra admin center as at least an Authentication Policy Administrator.
Browse to Protection > Authentication methods > Authentication method policy.
Under the method FIDO2 security key, select All users or Add groups to select specific groups. Only security groups are supported.
On the Configure tab, set:
Allow self-service set up to Yes
Enforce attestation to No
Enforce key restrictions to Yes
Restrict specific keys to Allow
Select Microsoft Authenticator (preview) if the checkbox is displayed in the admin center. This setting automatically populates the Authenticator app AAGUIDs for you in the key restriction list. Otherwise, you can manually add the following AAGUIDs to enable the Authenticator passkey preview:
- Authenticator for Android: de1e552d-db1d-4423-a619-566b625cdc84
- Authenticator for iOS: 90a3ccdf-635c-4729-a248-9b709135078f
Warning
Key restrictions set the usability of specific passkeys for both registration and authentication. If you change key restrictions and remove an AAGUID that you previously allowed, users who previously registered an allowed method can no longer use it for sign-in. If your organization doesn't currently enforce key restrictions and already has active passkey usage, you should collect the AAGUIDs of the keys being used today. Add them to the Allow list, along with the Authenticator AAGUIDs, to enable this preview. This task can be done with an automated script that analyzes logs such as registration details and sign-in logs.
The following list describes other optional settings:
General
- Allow self-service set up should remain set to Yes. If set to no, your users aren't able to register a passkey through MySecurityInfo, even if enabled by Authentication Methods policy.
- Enforce attestation Should be set to No for preview. Attestation support is planned for General Availability.
Key Restriction Policy
Enforce key restrictions should be set to Yes only if your organization wants to only allow or disallow certain passkeys, which are identified by their Authenticator Attestation GUID (AAGUID). If you want, you can manually enter the Authenticator app AAGUIDs or specifically restrict only Android or iOS devices. Otherwise, you can manually add the following AAGUIDs to enable the Authenticator passkey preview:
- Authenticator for Android: de1e552d-db1d-4423-a619-566b625cdc84
- Authenticator for iOS: 90a3ccdf-635c-4729-a248-9b709135078f
After you finish the configuration, select Save.
Enable passkeys in Authenticator using Graph Explorer
In addition to using the Microsoft Entra admin center, you can also enable passkeys in Authenticator by using Graph Explorer. Global Administrators and Authentication Policy Administrators can update the Authentication methods policy to allow the AAGUIDs for Authenticator.
To configure the policy by using Graph Explorer:
Sign in to Graph Explorer and consent to the Policy.Read.All and Policy.ReadWrite.AuthenticationMethod permissions.
Retrieve the Authentication methods policy:
GET https://graph.microsoft.com/beta/authenticationMethodsPolicy/authenticationMethodConfigurations/FIDO2To disable attestation enforcement and enforce key restrictions to only allow AAGUIDs for Microsoft Authenticator, perform a PATCH operation using the following request body:
PATCH https://graph.microsoft.com/beta/authenticationMethodsPolicy/authenticationMethodConfigurations/FIDO2 Request Body: { "@odata.type": "#microsoft.graph.fido2AuthenticationMethodConfiguration", "isAttestationEnforced": false, "keyRestrictions": { "isEnforced": true, "enforcementType": "allow", "aaGuids": [ "90a3ccdf-635c-4729-a248-9b709135078f", "de1e552d-db1d-4423-a619-566b625cdc84" <insert previous AAGUIDs here to keep them stored in policy> ] } }Make sure that the passkey (FIDO2) policy is updated properly.
GET https://graph.microsoft.com/beta/authenticationMethodsPolicy/authenticationMethodConfigurations/FIDO2
Delete a passkey
To remove a passkey associated with a user account, delete the key from the user’s authentication methods.
Sign in to the Microsoft Entra admin center and search for the user whose passkey needs to be removed.
Select Authentication methods > right-click FIDO2 security key and select Delete.
Note
Users also need to remove the passkey in Authenticator on their device.
Enforce sign-in with passkeys in Authenticator
To make users sign in with a passkey when they access a sensitive resource, use the built-in phishing-resistant authentication strength, or create a custom authentication strength by following these steps:
Sign in to the Microsoft Entra admin center as a Conditional Access Administrator.
Browse to Protection > Authentication methods > Authentication strengths.
Select New authentication strength.
Provide a descriptive Name for your new authentication strength.
Optionally provide a Description.
Select Passkeys (FIDO2) and then select Advanced options.
Add AAGUIDs for passkeys in Authenticator:
- Authenticator for Android: de1e552d-db1d-4423-a619-566b625cdc84
- Authenticator for iOS: 90a3ccdf-635c-4729-a248-9b709135078f
Choose Next and review the policy configuration.
Next steps
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for