Passwordless Sign In with a FIDO2-enabled security key such as a YubiKey in conjunction with Microsoft Entra ID (Azure AD) provides high security while maintaining ease of use. There is no longer any need to enter a username and password.

For users with private mobile devices who do not want to install the Microsoft Authenticator app, a security key from YubiKey offers a good alternative.

This tutorial sets up a YubiKey 5 security key for passwordless sign in to Microsoft Azure and Microsoft 365 services.

Prerequisites and Licensing

Licenses

No paid license in Microsoft Azure is required to use a FIDO2-enabled security key. The Microsoft Entra ID Free (Azure AD Free) license in Azure Active Directory is sufficient.

Microsoft Entra multi-factor authentication (MFA)

Users must setup Azure multi-factor authentication. User guide: Enabling multi-factor authentication – cloudcoffee.ch explains the necessary procedure.

YubiKey FIDO2 Security Key

A YubiKey security key with FIDO2 support from Yubico.
To find the right YubiKey for you, the Yubico website will help you:
Which YubiKey is right for you | Quiz | Yubico

Order the YubiKey security key directly from Yubico:
Buy YubiKeys at Yubico.com | Shop hardware authentication security keys

Enable Authentication method FIDO2 security key

Authentication method FIDO2 will be enabled in the Azure Portal (https://portal.azure.com).

FIDO2 security key authentications are enabled in the Authentication methods menu of Microsoft Entra ID.

Select Microsoft Entra ID > Security

Select Authentication methods

Select FIDO2 security key

Switch on the Enable Toggle and select All users in the register Enable and Target

The following options can be set in the Configure tab:

Allow self-service setup
The option must be enabled for users to activate the YubiKey 5 security keys.

Enforce attestation
This option must be enabled and verifies that the FIDO2 security key identifies itself to Microsoft Entra ID (Azure AD) during registration. Among other things, this checks whether the security key actually corresponds to the specified model and supports the corresponding features.

Enforce key restrictions
With this option you can control which security keys may be used and which not. There is a possibility of an Allow or Block list. AAGUIDS (Authenticator Attestation Global Unique Identifier) are used for this function. The values for YubiKey are summarized here: https://support.yubico.com/hc/en-us/articles/360016648959-YubiKey-Hardware-FIDO2-AAGUIDs

Click on Save and Users can now register and use FIDO2-enabled security keys.

Setup YubiKey for Passwordless Sign In

Users sets up their personal YubiKey independently.
To do this, the user sign in at https://myprofile.microsoft.com.

Microsoft Sign In

Select Security info

Start registration for the YubiKey security key by clicking Add sign-in method.

Select method Security key.
The Security key option is not visible in Microsoft Entra ID until about 15 minutes after initial activation.

Sign-in methods

In order for the YubiKey security key to be setup, the user must sign in with multi-factor authentication.

Security Key Multi-Factor Authentication

Choose the type of connection method for the security key (USB or NFC).

Security key - choose type

Connect YubiKey security key to the device and click Next.

Security key - connect to device

The security key will now be connected.

Security key - finish setup

The connected security key is setup for the currently signed in user.

Security key - setup
Security key - Continue setup

To continue setting up the YubiKey security key, simply touch it.

Security key - Touch your security key

Set a PIN for the security key.

Security key - create PIN

Touch the security key again.

Security key - Touch your security key

Finally, assign a meaningful name for the YubiKey security key.

Security key - Name your security key

The YubiKey FIDO2 security key is now successfully setup and can be used for sign in.

Security key - setup successful

The security key is displayed as active for sign in.

Passwordless Sign In with YubiKey 5 Security Key

In the sign in window for Microsoft Azure, Microsoft 365 or Enterprise applications with Microsoft Entra ID authentication, select Sign-in options.

Microsoft Sign In

Select Sign in with a security key and connect the security key to device.

Sign-in options - sign in with a security key

(Optional) If multiple modern authentication methods are active on the device, a prompt will appear. Select the Security key.

Windows Hello - Security Key

Touch the security key and enter PIN, after PIN entry touch security key again.

Security key - Touch your security key
Security key - Enter PIN

(Optional) If multiple identities exist for the security key, select the desired identity.

Windows Security - Choose Account

The sign in with the YubiKey security key is successfully performed.


Follow me on LinkedIn to always stay updated on my recent posts.

Follow on LinkedIn

Was this post helpful to you? Show your enthusiasm with the delightful aroma of a freshly brewed coffee for me!

Buy me a coffee