Use FIDO2 key with AAD

Use FIDO2 key with AAD

It is strongly recommended that you use the MFA solution to secure authentication in Azure AD. However, this requires the use of a password and a second factor (phone, mobile phone, mobile application). Microsoft recommends to stop using password.

I write a post since month ago for Azure AD passwordless (click here for access to the post))

This post permit to use FIDO2 key for authentificate user. With this key, user can authenticate itself using this key. The FIDO key can be purchased from different suppliers.

Requirements

To implement Azure AD authentication using FIDO2, it is necessary to implement the following requirements

  • Azure Multi-Factor Authentication
  • Combined security information registration preview
  • Compatible FIDO2 security keys
  • Windows 10 version 1809 or higher

Enable the combined registration experience

From the Azure portal, access to Azure Active Directory portal and click on User settings

Use FIDO2 key with AAD - Configure Azure AD

Click on Manage user feature preview settings.

Use FIDO2 key with AAD - Manage user feature preview settings

Select users who have the ability to use the preview functions to record and manage security information. I have chosen to limit the functionality to members of a security group but it is possible to enable it for everyone.

Use FIDO2 key with AAD - Manage user feature preview settings

Select users who have the ability to use the preview functions to record and manage security information. I have chosen to limit the functionality to members of a security group but it is possible to enable it for everyone.

Enable FIDO2 security key method

From the Azure Active Directory portal, click on Security then on Authentification methods.

Configure Authentification method

Click on FIDO2 Security Key.

Configure Authentification method

Enable the parameter and select Target. Configure other parameter if you want and click on Save.

Configure Authentification method

Microsoft Authentificator passwordless sign-in must be also enable. You can limit for user group or enable for all users.

Enable passwordless

User registration of FIDO2 security keys

Open brownser and access to https://myprofile.microsoft.com. Log in with the user account.

Configure Authentification method

click on Update Info on Security Info.If MFA is not configured, you need to configure MFA for the user.

Update security information

Click on Add Method and select Security Key.

Add Fido2 Key

Configure Fido2 Key

A message appear, you need to sign in with two-factor authentification. Click on Next.

Configure Fido2 Key

Choose the type of Security key. I choose USB device.

Choose type of security key

Insert your key on computer and create new pin code. Enter a desired name for the security key. Configuration is now finished.

Choose type of security key

Test authentification with Fido2

On the browser, access to https://myapps.microsoft.com and click on Sign-in options.

Connect to Microsoft portal

Select Sign in with Windows Hello or a security key.

Choose authentification method

Select Security key.

Select authentification method

Insert the Security Key into the USB Port and take action on your security key.

Insert USB Key

User can access to the portal.

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.