StarWind is a hyperconverged (HCI) vendor with focus on Enterprise ROBO, SMB & Edge

Enable passwordless authentication on Azure AD with FIDO2 key

  • June 9, 2022
  • 7 min read
IT and virtualization consultant specializing in Microsoft technologies such as Hyper-V, System Center, storage, networking, and MS Azure. He is a Microsoft MVP and MCSE in Server Infrastructure and Private Cloud.

Azure AD is an identity provider (IDP) for a large number of applications that working with authentication token such as SAML2, OpenID or oAuth. Because Azure AD could be used to manage the authentication to many applications and data, it is important to secure user’s identities. Only the password is not enough today to secure the identity. Now we recommend the using of Multi-Factor Authentication (MFA) that means mainly that users have to specify a password and approve the authentication through one time password (OTP) or through Microsoft Authenticator (smartphone apps).

The other way can be the using of passwordless method. For Azure AD we have two solutions to make a passwordless authentication:

  • Microsoft Authenticator: after the user specify his E-mail Address, a number is displayed, and the user has to specify this information in Microsoft Authenticator
  • FIDO2 key: the user has to just plug the key and then select this authentication method. Then the prompt asks for the password to unlock the FIDO2 key

Microsoft Authenticator

In this topic, I’d like to focus on passwordless with FIDO2 key. To write this topic, I used a FIDO2 key from Yubikey.

Enable Passwordless in Azure AD

To enable Passwordless with FIDO2 Security Key, navigate to your Azure AD > Security > Policies. Then select FIDO2 Security Key.

Enable Passwordless in Azure AD

In Basics settings, set Enable to yes. Then you can target all users or a specifics bunch of users or groups.

FIDO2 Security Key settings

In Configure, you have some advanced settings:

Allow self-service set up should remain set to Yes. If set to no, your users will not be able to register a FIDO key through the MySecurityInfo portal, even if enabled by Authentication Methods policy.

Enforce attestation setting to Yes requires the FIDO security key metadata to be published and verified with the FIDO Alliance Metadata Service, and also pass Microsoft’s additional set of validation testing. For more information, see What is a Microsoft-compatible security key?

Enforce key restrictions should be set to Yes only if your organization wants to only allow or disallow certain FIDO security keys, which are identified by their AAGuids. You can work with your security key provider to determine the AAGuids of their devices. If the key is already registered, AAGUID can also be found by viewing the authentication method details of the key per user.

Configure settings

Configure a FIDO2 security key with your account

Open your account settings from Then navigate to your Security info.

Configure a FIDO2 security key with your account

Then click on Add method.

Add method

Select Security key as method to add.

Select Security key

Choose USB Device or NFC device regarding your security key type.

Choose USB Device or NFC device

Now you should have the following window. When you click on Next, a new wizard will be opened to ask you to plug your security key and specify a password to unlock it.

Click on Next

At the end of the wizard, specify a name for your security key.

Security key

Now you key should be configured and it should be available as authentication method.

Now you key should be configured

Security info

Authenticate with the FIDO2 security key

N.B: I’m sorry for French screenshot

Open an application that use Azure AD as identity provider. Then click on Sign in options

Authenticate with the FIDO2 security key

Next choose Connect with security key.

Connect with security key

Now specify the password to unlock the security key you set during the security key configuration.

Now specify the password to unlock the security key

Now you should be authenticated against your application without specifying any E-mail address and the related password.

Back to blog