Enable passkeys (FIDO2) for your organization

For enterprises that use passwords today, passkeys (FIDO2) provide a seamless way for workers to authenticate without entering a username or password. Passkeys (FIDO2) provide improved productivity for workers, and have better security.

This article lists requirements and steps to enable passkeys in your organization. After you complete these steps, users in your organization can then register and sign in to their Microsoft Entra account using a passkey stored on a FIDO2 security key or in Microsoft Authenticator.

For more information about enabling passkeys in Microsoft Authenticator, see How to enable passkeys in Microsoft Authenticator.

For more information about passkey authentication, see Support for FIDO2 authentication with Microsoft Entra ID.

Requirements

• Users must complete multifactor authentication (MFA) within the past five minutes before they can register a passkey (FIDO2).
• Users need a FIDO2 security key eligible for attestation with Microsoft Entra ID or Microsoft Authenticator.
• Devices must support passkey (FIDO2) authentication. For Windows devices that are joined to Microsoft Entra ID, the best experience is on Windows 10 version 1903 or higher. Hybrid-joined devices must run Windows 10 version 2004 or higher.

Passkeys (FIDO2) are supported across major scenarios on Windows, macOS, Android, and iOS. For more information on supported scenarios, see Support for FIDO2 authentication in Microsoft Entra ID.

Passkey (FIDO2) Authenticator Attestation GUID (AAGUID)

The FIDO2 specification requires each security key vendor to provide an Authenticator Attestation GUID (AAGUID) during registration. An AAGUID is a 128-bit identifier indicating the key type, such as the make and model. Passkey (FIDO2) providers on desktop and mobile devices are also expected to provide an AAGUID during registration.

You can work with your security key vendor to determine the AAGUID of the passkey (FIDO2), or see FIDO2 security keys eligible for attestation with Microsoft Entra ID. If the passkey (FIDO2) is already registered, you can find the AAGUID by viewing the authentication method details of the passkey (FIDO2) for the user.

Enable passkey (FIDO2) authentication method

1. Sign in to the Microsoft Entra admin center as at least an Authentication Policy Administrator.

2. Browse to Entra ID > Authentication methods > Policies.

3. Under the method Passkey (FIDO2), set the toggle to Enable. Select All users or Add groups to select specific groups. Only security groups are supported.

4. On the Configure tab:

   • Set Allow self-service set up to Yes. If set to No, users can't register a passkey by using Security info, even if passkeys (FIDO2) are enabled by the Authentication methods policy.

   • Set Enforce attestation to Yes if your organization wants to be assured that a FIDO2 security key model or passkey provider is genuine and comes from the legitimate vendor.

     • Metadata for FIDO2 security keys needs to be published and verified with the FIDO Alliance Metadata Service, and also pass another set of validation testing by Microsoft. For more information, see Become a Microsoft-compatible FIDO2 security key vendor.
     • Passkeys in Microsoft Authenticator also support attestation. For more information, see How passkey attestation works with Authenticator.

     Warning

     • If you set Enforce attestation to No, users can register any type of passkey. Set Enforce attestation to Yes to ensure that users can only register device-bound passkeys.

     • Attestation enforcement governs whether a passkey (FIDO2) is allowed only during registration. Users who register a passkey (FIDO2) without attestation aren't blocked from sign-in if Enforce attestation is set to Yes later.

   Key Restriction Policy

   • Enforce key restrictions should be set to Yes only if your organization wants to only allow or disallow certain security key models or passkey providers, which are identified by their AAGUID. You can work with your security key vendor to determine the AAGUID of the passkey. If the passkey is already registered, you can find the AAGUID by viewing the authentication method details of the passkey for the user.

   Warning

   Key restrictions set the usability of specific models or providers for both registration and authentication. If you change key restrictions and remove an AAGUID that you previously allowed, users who previously registered an allowed method can no longer use it for sign-in.

   

5. After you finish the configuration, select Save.

   Note

   If you see an error when you try to save, replace multiple groups with a single group in one operation, and then click Save again.

Delete a passkey (FIDO2)

To remove a passkey (FIDO2) associated with a user account, delete it from the user's authentication method.

1. Sign in to the Microsoft Entra admin center and search for the user whose passkey (FIDO2) needs to be removed.
2. Select Authentication methods > right-click Passkey (device-bound) and select Delete.

Known issues

Security key provisioning

Administrator provisioning of security keys is in preview. See Microsoft Graph and custom clients to provision FIDO2 security keys on behalf of users.

Guest users

Registration of passkey (FIDO2) credentials isn't supported for internal or external guest users, including B2B collaboration users in the resource tenant.

UPN changes

If a user's UPN changes, you can no longer modify passkeys (FIDO2) to account for the change. If the user has a passkey (FIDO2), they need to sign in to Security info, delete the old passkey (FIDO2), and add a new one.

Next steps

Native app and browser support of passkey (FIDO2) passwordless authentication

FIDO2 security key Windows 10 sign in

Enable FIDO2 authentication to on-premises resources

Register security keys on behalf of users

Learn more about device registration

Learn more about Microsoft Entra multifactor authentication