How to enable passkeys in your Microsoft 365 tenant

Open Entra admin center and navigate to Entra ID > Multifactor Authentication and click Passkey (FIDO2)

Then toggle Enable before clicking Configure.

Toggle the following settings:

• Enforce attestation — Yes

• Enforce key restrictions — Yes

• Restrict specific keys — Allow

• Microsoft Authenticator — Check

Then click Save at the bottom

What did we just do exactly? Let’s start with the AAGUID, or Authenticator Attestation Global Unique Identifier; a 128-bit identifier indicating the key type, such as the make and model of the authenticator or hardware key. Each AAGUID is, as the name would suggest, globally unique. When you checked the Microsoft Authenticator box, the AAGUID of the Authenticator app for iOS and Android were added automatically:

• Authenticator for Android: de1e552d-db1d-4423-a619-566b625cdc84

• Authenticator for iOS: 90a3ccdf-635c-4729-a248-9b709135078f

If you want to use other types of security keys, such as a YubiKey, you’ll need to add each AAGUID as well. Here’s a link to all of the AAGUID for YubiKey hardware FIDO2 AAGUIDs | https://support.yubico.com/hc/en-us/articles/360016648959-YubiKey-hardware-FIDO2-AAGUIDs

Passkey Creation

Now on the authenticator app on your phone, click on your account and click Create a passkey. Follow the on-screen prompts to Sign in and respond to the MFA prompts to finish the completion of your passkey.

Reference

Enable passkeys in Authenticator | https://learn.microsoft.com/en-us/entra/identity/authentication/how-to-enable-authenticator-passkey