Passwordless Sign In with a FIDO2-enabled security key such as a YubiKey in conjunction with Azure AD provides high security while maintaining ease of use. There is no longer any need to enter a username and password.
For users with private mobile devices who do not want to install the Microsoft Authenticator app, a security key from YubiKey offers a good alternative.
This tutorial sets up a YubiKey 5 security key for passwordless sign in to Microsoft Azure and Microsoft 365 services.
Requirements and licensing
No paid license in Microsoft Azure is required to use a FIDO2-enabled security key. The “Azure AD Free” license in Azure Active Directory is sufficient.
Users must setup Azure multi-factor authentication. User guide: Enabling multi-factor authentication – cloudcoffee.ch explains the necessary procedure.
A YubiKey security key with FIDO2 support from Yubico.
To find the right YubiKey for you, the Yubico website will help you: Which YubiKey is right for you | Quiz | Yubico
Enable login with FIDO2 security key
Passwordless sign in is configured in the Azure Portal (https://portal.azure.com).
Enable combined registration of security information
To use security keys, the combined registration must be enabled in Azure AD.
Select “Azure Active Directory” > “User settings” > “Manage user feature settings”
Set “Users can use the combined security information registration experience” to “All”
Enable Authentication method FIDO2 security key
FIDO2 security key authentications are enabled in the “Authentication methods” menu of Azure AD.
Select “Azure Active Directory” > “Security”
Select “Authentication methods”
Select “FIDO2 security key”
Switch on the “Enable” Toggle and select “All users” in the register “Enable and Target”
The following options can be set in the “Configure” tab:
Allow self-service setup
The option must be enabled for users to activate the YubiKey 5 security keys.
Enforce attestation
This option must be enabled and verifies that the FIDO2 security key identifies itself to Azure AD during registration. Among other things, this checks whether the security key actually corresponds to the specified model and supports the corresponding features.
Enforce key restrictions
With this option you can control which security keys may be used and which not. There is a possibility of an Allow or Block list. AAGUIDS (Authenticator Attestation Global Unique Identifier) are used for this function. The values for YubiKey are summarized here: https://support.yubico.com/hc/en-us/articles/360016648959-YubiKey-Hardware-FIDO2-AAGUIDs
Users can now register and use FIDO2-enabled security keys.
Setup YubiKey for Passwordless Sign In
Users sets up their personal YubiKey independently.
To do this, the user sign in at https://myprofile.microsoft.com.
Select “Security info”
Start registration for the YubiKey security key by clicking “Add login method”.
Select “Security key” method.
The “Security key” option is not visible in Azure Active Directory until about 15 minutes after initial activation.
In order for the YubiKey security key to be setup, the user must sign in with multi-factor authentication.
Choose the type of connection method for the security key (USB or NFC).
Connect YubiKey security key to the device and click “Next”.
The security key will now be connected.
The connected security key is setup for the currently signed in user.
To continue setting up the YubiKey security key, simply touch it.
Set a PIN for the security key.
Touch the security key again.
Finally, assign a meaningful name for the YubiKey security key.
The YubiKey FIDO2 security key is now successfully setup and can be used for sign in.
The security key is displayed as active for sign in.
Passwordless Sign In with YubiKey 5 Security Key
In the sign in window for Microsoft Azure, Microsoft 365 or Enterprise applications with Azure AD authentication, select “Sign-in options”.
Select “Sign in with a security key” and connect the security key to device.
(Optional) If multiple modern authentication methods are active on the device, a prompt will appear. Select the “Security key”.
Touch the security key and enter PIN, after PIN entry touch security key again.
(Optional) If multiple identities exist for the security key, select the desired identity.
The sign in with the YubiKey security key is successfully performed.
Follow me on LinkedIn and get informed about my latest posts.