Passwordless Sign In with a FIDO2-enabled security key such as a YubiKey in conjunction with Azure AD provides high security while maintaining ease of use. There is no longer any need to enter a username and password.

For users with private mobile devices who do not want to install the Microsoft Authenticator app, a security key from YubiKey offers a good alternative.

This tutorial sets up a YubiKey 5 security key for passwordless sign in to Microsoft Azure and Microsoft 365 services.

Requirements and licensing

No paid license in Microsoft Azure is required to use a FIDO2-enabled security key. The “Azure AD Free” license in Azure Active Directory is sufficient.

Users must setup Azure multi-factor authentication. User guide: Enabling multi-factor authentication – explains the necessary procedure.

A YubiKey security key with FIDO2 support from Yubico.
To find the right YubiKey for you, the Yubico website will help you: Which YubiKey is right for you | Quiz | Yubico

Enable login with FIDO2 security key

Passwordless sign in is configured in the Azure Portal (

Enable combined registration of security information

To use security keys, the combined registration must be enabled in Azure AD.

Select “Azure Active Directory” > “User settings” > “Manage user feature settings”

Set “Users can use the combined security information registration experience” to “All”

Enable Authentication method FIDO2 security key

FIDO2 security key authentications are enabled in the “Authentication methods” menu of Azure AD.

Select “Azure Active Directory” > “Security”

Select “Authentication methods”

Select “FIDO2 security key”

Switch on the “Enable” Toggle and select “All users” in the register “Enable and Target”

The following options can be set in the “Configure” tab:

Allow self-service setup
The option must be enabled for users to activate the YubiKey 5 security keys.

Enforce attestation
This option must be enabled and verifies that the FIDO2 security key identifies itself to Azure AD during registration. Among other things, this checks whether the security key actually corresponds to the specified model and supports the corresponding features.

Enforce key restrictions
With this option you can control which security keys may be used and which not. There is a possibility of an Allow or Block list. AAGUIDS (Authenticator Attestation Global Unique Identifier) are used for this function. The values for YubiKey are summarized here:

Users can now register and use FIDO2-enabled security keys.

Sponsored Links

Setup YubiKey for Passwordless Sign In

Users sets up their personal YubiKey independently.
To do this, the user sign in at

Microsoft Sign In

Select “Security info”

Start registration for the YubiKey security key by clicking “Add login method”.

Select “Security key” method.
The “Security key” option is not visible in Azure Active Directory until about 15 minutes after initial activation.

methods

In order for the YubiKey security key to be setup, the user must sign in with multi-factor authentication.

Security Key Multi-Factor Authentication

Choose the type of connection method for the security key (USB or NFC).

Security key - choose type

Connect YubiKey security key to the device and click “Next”.

Security key - connect to device

The security key will now be connected.

Security key - finish setup

The connected security key is setup for the currently signed in user.

Security key - setup
Security key - Continue setup

To continue setting up the YubiKey security key, simply touch it.

Security key - Touch your security key

Set a PIN for the security key.

Security key - create PIN

Touch the security key again.

Security key - Touch your security key

Finally, assign a meaningful name for the YubiKey security key.

Security key - Name your security key

The YubiKey FIDO2 security key is now successfully setup and can be used for sign in.

Security key - setup successful

The security key is displayed as active for sign in.

Passwordless Sign In with YubiKey 5 Security Key

In the sign in window for Microsoft Azure, Microsoft 365 or Enterprise applications with Azure AD authentication, select “Sign-in options”.

Microsoft Sign In

Select “Sign in with a security key” and connect the security key to device.

options - sign in with a security key

(Optional) If multiple modern authentication methods are active on the device, a prompt will appear. Select the “Security key”.

Windows Hello - Security Key

Touch the security key and enter PIN, after PIN entry touch security key again.

Security key - Touch your security key
Security key - Enter PIN

(Optional) If multiple identities exist for the security key, select the desired identity.

Windows Security - Choose Account

The sign in with the YubiKey security key is successfully performed.

Follow me on LinkedIn and get informed about my latest posts.

Sponsored Links