• Home
  • Microsoft Azure
  • Microsoft 365
  • Barista
  • Legal Notice
  • Privacy Policy
  • English
    • Deutsch
  • Home
  • Microsoft Azure
  • Microsoft 365
  • Barista
  • Legal Notice
  • Privacy Policy
  • English
    • Deutsch
cloudcoffee.ch

Freshly brewed with Microsoft Azure and Microsoft 365

Microsoft 365,  Microsoft Azure

Passwordless Sign In with Microsoft Entra ID (Azure AD) and YubiKey (FIDO2)

17. December 2022 /

Last Updated on 18. January 2025

Passwordless Sign In with a FIDO2-enabled security key such as a YubiKey in conjunction with Microsoft Entra ID (Azure AD) provides high security while maintaining ease of use. There is no longer any need to enter a username and password.

For users with private mobile devices who do not want to install the Microsoft Authenticator app, a security key from YubiKey offers a good alternative.

This tutorial sets up a YubiKey 5 security key for passwordless sign in to Microsoft Azure and Microsoft 365 services.

Table of contents hide
1 Prerequisites and Licensing
1.1 Licenses
1.2 Microsoft Entra multi-factor authentication (MFA)
1.3 YubiKey FIDO2 Security Key
2 Enable Authentication method FIDO2 security key
3 Setup YubiKey for Passwordless Sign In
4 Passwordless Sign In with YubiKey 5 Security Key

Prerequisites and Licensing

Licenses

No paid license in Microsoft Azure is required to use a FIDO2-enabled security key. The Microsoft Entra ID Free (Azure AD Free) license in Azure Active Directory is sufficient.

Microsoft Entra multi-factor authentication (MFA)

Users must setup Azure multi-factor authentication. User guide: Enabling multi-factor authentication – cloudcoffee.ch explains the necessary procedure.

YubiKey FIDO2 Security Key

A YubiKey security key with FIDO2 support from Yubico.
To find the right YubiKey for you, the Yubico website will help you:
Which YubiKey is right for you | Quiz | Yubico

Order the YubiKey security key directly from Yubico:
Buy YubiKeys at Yubico.com | Shop hardware authentication security keys

Of course, FIDO2 security keys from other brands work too.

Enable Authentication method FIDO2 security key

Authentication method FIDO2 will be enabled in the Azure Portal (https://portal.azure.com).

FIDO2 security key authentications are enabled in the Authentication methods menu of Microsoft Entra ID.

Select Microsoft Entra ID > Security

Microsoft Entra ID - Security

Select Authentication methods

Microsoft Entra ID - Authentication methods

Select FIDO2 security key

Microsoft Entra ID - FIDO2 security key

Switch on the Enable Toggle and select All users in the register Enable and Target

Microsoft Entra ID - FIDO2 enable and target

The following options can be set in the Configure tab:

Allow self-service setup
The option must be enabled for users to activate the YubiKey 5 security keys.

Enforce attestation
This option must be enabled and verifies that the FIDO2 security key identifies itself to Microsoft Entra ID (Azure AD) during registration. Among other things, this checks whether the security key actually corresponds to the specified model and supports the corresponding features.

Enforce key restrictions
With this option you can control which security keys may be used and which not. There is a possibility of an Allow or Block list. AAGUIDS (Authenticator Attestation Global Unique Identifier) are used for this function. An overview of the common AAGUIDs is provided by Clayton Tyger with the Entra Compatible Attestation FIDO Key Explorer.

Microsoft Entra ID - FIDO2 configure

Click on Save and Users can now register and use FIDO2-enabled security keys.

Microsoft Entra ID - FIDO2 enabled

Setup YubiKey for Passwordless Sign In

Users sets up their personal YubiKey independently.
To do this, the user sign in at https://myprofile.microsoft.com.

Microsoft Sign In

Select Security info

Microsoft MyProfile - Dashboard

Start registration for the YubiKey security key by clicking Add sign-in method.

Microsoft MyProfile - Security info add sign-in method

Select method Security key.
The Security key option is not visible in Microsoft Entra ID until about 15 minutes after initial activation.

Sign-in methods

In order for the YubiKey security key to be setup, the user must sign in with multi-factor authentication.

Security Key Multi-Factor Authentication

Choose the type of connection method for the security key (USB or NFC).

Security key - choose type

Connect YubiKey security key to the device and click Next.

Security key - connect to device

The security key will now be connected.

Security key - finish setup

The connected security key is setup for the currently signed in user.

Security key - setup
Security key - Continue setup

To continue setting up the YubiKey security key, simply touch it.

Security key - Touch your security key

Set a PIN for the security key.

Security key - create PIN

Touch the security key again.

Security key - Touch your security key

Finally, assign a meaningful name for the YubiKey security key.

Security key - Name your security key

The YubiKey FIDO2 security key is now successfully setup and can be used for sign in.

Security key - setup successful

The security key is displayed as active for sign in.

Security info - show enabled devices

Passwordless Sign In with YubiKey 5 Security Key

In the sign in window for Microsoft Azure, Microsoft 365 or Enterprise applications with Microsoft Entra ID authentication, select Sign-in options.

Microsoft Sign In

Select Sign in with a security key and connect the security key to device.

Sign-in options - sign in with a security key

(Optional) If multiple modern authentication methods are active on the device, a prompt will appear. Select the Security key.

Windows Hello - Security Key

Touch the security key and enter PIN, after PIN entry touch security key again.

Security key - Touch your security key
Security key - Enter PIN

(Optional) If multiple identities exist for the security key, select the desired identity.

Windows Security - Choose Account

The sign in with the YubiKey security key is successfully performed.

Login with security key successful

Fresh content, explained with practical relevance. Stay up to date via LinkedIn and Bluesky.

LinkedIn BlueSky

No marketing. No noise. Just content.
If this post was helpful, a coffee brings back the rich aroma behind the writing.

Buy Me a Coffee
  1. Temporary Access Pass in Microsoft Entra: what it is and how to use it
  2. Hardening your Identities: Microsoft Authenticator device-bound passkey
  3. Passwordless Sign In with Microsoft Authenticator App
  4. Microsoft Entra Privileged Identity Management (PIM) and FIDO2: Increasing the security of privileged roles
FIDO2Identity and Access Management (IAM)Microsoft EntraMicrosoft Tenant HardeningMulti-Factor AuthenticationPasswordless Sign InZero Trust Network Access (ZTNA)
Sponsored Links

Barista

Oliver Mueller My name is Oliver Müller and I have been working with passion and dedication in the IT industry since 1998. The diversity of Microsoft products has fascinated me from the beginning and motivated me to expand my knowledge in this area. As a Microsoft Azure Solutions Architect Expert, Microsoft MVP and MCT, my focus is primarily on the areas of Infrastructure-as-a-Service (IaaS) and Identity and Access Management (IAM).

Regardless of the complexity of the challenges that present themselves to me, I always find the optimal solutions. I often find inspiration over a cup of coffee. My solutions are not only effective but also innovative and future-oriented.

Azure Administrator Associate Azure Solutions Architect Expert
Microsoft MVP Microsoft Certified Trainer
LinkedIn BlueSky Buy Me a Coffee

Recent Posts

  • Microsoft Defender for Endpoint: Getting Started with Deployment Using Intune

    4. October 2025

  • Protect Security Info Registration with Microsoft Entra Conditional Access and Microsoft Entra ID Protection

    2. September 2025

  • Microsoft Entra Connect: Migration to Application Based Authentication (ABA)

    5. August 2025

  • Microsoft Defender Attack Simulation Training: Boosting Real-World Security Awareness

    2. July 2025

  • Microsoft Entra ID: Admin Consent Workflow for Secure Application Permissions

    2. June 2025

Updated Posts

  • Microsoft Entra ID Protection: Protect Identities, Detect Risks and Mitigate Threats

    26. September 2025

  • Enhance Token Security with Microsoft Entra and Microsoft Intune

    8. September 2025

  • Microsoft Entra ID: QR Code Sign-In

    30. August 2025

  • Microsoft Entra ID: Admin Consent Workflow for Secure Application Permissions

    20. August 2025

  • Backup and Restore Microsoft Authenticator App

    31. July 2025

Sponsored Links

Backup Browser Extensions Command Line Conditional Access Directory Directory Extensions Disaster Recovery Efficiency Enforce FIDO2 Guest High Availability Identity and Access Management (IAM) Microsoft Authenticator App Microsoft Defender Microsoft Entra Microsoft Entra Connect Microsoft Intune Microsoft Tenant Hardening Migration Multi-Factor Authentication Naming Passthrough Authentication (PTA) Password Hash Synchronization (PHS) Passwordless Sign In Performance Optimization PowerShell Troubleshooting Tutorials Virtual Machines Zero Trust Network Access (ZTNA)

© 2021-2025 cloudkaffee.ch
This site uses cookies to improve the user experience. By continuing to use them, you agree to this.