Azure AD – You can now use FIDO2 keys and Microsoft Authenticator App to authenticate against Azure AD

You can now enable password-less authentication to Azure AD, including Azure AD Application, with Microsoft Authenticator App, Fido2 Keys or Windows Hello.

To start using the new password-less authentication methods, logon to your Azure AD portal (https://aad.portal.azure.com/) or Azure portal (https://portal.azure.com) and reach out the Authentication methods blade

image

From there you can enable FIDO2 Security key and/or Microsoft Authenticator authentication methods to either all or selected users

To enable an authentication method, you need to select it and then enable it for either all or selected users

When enabling a method you can allow self registration

The Microsoft Authentication method requires push notification to be enabled in the tenant

image  image

Once enabled your users will then be able to register their FIDO2 key and/or Microsoft Authenticator app by accessing their self service portal (https://mysignins.microsoft.com) by accessing the Security info section and then Add method to select Security Key and the key tyep 9USB or NFC

NOTE you need to use Microsoft Edge for the registration; at this stage Internet Explorer or Google Chrome are not supported

During the registration you will get prompted to set  PIN and then name the key

NOTE do not use any space when naming the key

image  image  image image  image  image  image  image

The FIDO2 security key has been added

image

Then your users can change the default MFA method to use the new method

image  image

Then next time they sign in to Windows and/or Azure AD application, including Office 365, they will be authenticated using this password-less method

image

Leave a Comment

Your email address will not be published. Required fields are marked *