Enable Passkeys in Microsoft Entra

Passkeys are a great way to improve the security and to move away from less secure authentication methods like password, SMS code, voice etc.

Phishing-Resistant MFA
Pre-requisites
Enable Passkeys
Setup Passkey with Microsoft Authenticator

Phishing-Resistant MFA

So what counts as a phishing-resistant authentication method?
Listed below you find 4 methods that are phishing-resistant and will greatly improve your authentication security, helping you to protect your users and organization.

Pre-requisites

Android 14 and later or iOS 17 and later
Microsoft Multi-factor authentication enabled
Latest version of Microsoft Authenticator

Microsoft Documentation

Enable Passkeys

Go to Microsoft Entra
Select Protection – Authentication Methods – Policies

Select FIDO2 security key and assign it to all users or a specific group of users.

Select Configure

Allow self-service set up: YES
If we do not turn this on the users cannot register the passkey.

Enforce attestation: NO
We need to turn this to: NO, this is required as Microsoft Authenticator is currently not supported.

Key Restriction Policy
We are not required to configure this but it is useful if we want to limit what type of passkeys, security keys we want to allow. For example we only use Microsoft Authenticator and YubiKeys.

Enforce key restrictors: YES
We will set this to YES and only allow YubiKeys and Microsoft Authenticator (This will be different depending on your organizations requirements but we need to add Microsoft Authenticator.

Restrict specific keys: Allow
We will only allow the keys added to our list.

Click on Add AAGUID
Authenticator for Android: de1e552d-db1d-4423-a619-566b625cdc84
Authenticator for iOS: 90a3ccdf-635c-4729-a248-9b709135078f

If you also support YubiKeys we can add more AAGUIDs to make sure we allow certain YubiKeys.
YubiKey AAGUIDs

That is all, you can now start using Passkeys with Microsoft Authenticator.

Setup Passkey with Microsoft Authenticator

Using your mobile phone go to: https://aka.ms/mysecurityinfo
(You can do this on your Computer to and you will get a QR code to scan instead to save your passkey on your device)
Select Add sign-in method Select Passkey in Microsoft Authenticator.
Follow the on-screen guide and when asked where to save your Passkey, make sure you select Microsoft Authenticator, if you do not see this as an option, then make sure you are running the latest version of Microsoft Authenticator and have allowed Authenticator for passkeys.

Microsoft Documentation (Register passkey)

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Enable Passkeys in Microsoft Entra

Phishing-Resistant MFA

Pre-requisites

Enable Passkeys

Setup Passkey with Microsoft Authenticator

Like this:

Posts

Deploy Visio and Project separately in Intune

CIS Microsoft Intune for Windows 11 Benchmark in Settings Catalog (JSON)

Deploy a customized Windows 11 Taskbar that allows users to change the pinned apps

Deploy Microsoft Teams QoS with Intune

LAPS in Azure AD