Azure/Entra Archives - Ouss in the Cloud

Welcome back to the final part of our FIDO2 blog series!

In Part 1, we walked through enabling FIDO2 key sign-in in Microsoft Entra and registering the key for a user. In Part 2, we looked at how to use the key for Windows Hello for Business using Intune. In this final post we’ll explore how to use the FIDO2 key to activate privileged roles, like Security Administrator, using Microsoft Entra’s Privileged Identity Management (PIM) and a bonus section!

This is where things really come together. Not only is your sign-in passwordless, but now your privileged role activation is phishing resistant and far more secure (and for IT Admins this might be the best part in the series 🫡).

Introduction
Why FIDO2 as an MFA method?
FIDO2 as an authentication method for PIM roles
FIDO2 as authentication strength in Conditional Acces
Configure the PIM role with the Authentication Context
How the PIM role works in practice
Bonus section part 1: Set up Temporary Access Pass (TAP) for onboarding
Bonus section part 2: Testing the new sign in experience on a mobile device
Final thoughts

1. Introduction

These days, traditional MFA isn’t always enough—especially for high-privilege roles or emergency break glass accounts

Starting on October 15, 2024, to further increase your security, Microsoft will require admins to use multifactor authentication (MFA) when signing into the Microsoft Azure portal, Microsoft Entra admin center, and Microsoft Intune admin center

For those scenarios, using a FIDO2 hardware key adds an extra layer of security that’s phishing-resistant, tied to something physical and can be used by multiple people that have access to the key. Think of a key stored in a safe, only used when absolutely necessary, or required for sensitive role activation. In this blog, we’ll walk through how these keys can help make identity protection even stronger where it really counts.

2. Why FIDO2 as an MFA method?

FIDO2 keys are:
✅ Phishing-resistant
✅ User-friendly
✅ Supported across multiple platforms (also on mobile devices, see bonus section!)
✅ Capable of passwordless sign-in and acting as an MFA method

This is particularly useful when you need to satisfy MFA requirements without relying on personal phones or Authenticator apps. It’s a great alternative for IT admins, users in secure environments and external users who need temporary access to your environment and especially when you want to avoid the hassle of installing and configuring Microsoft Authenticator on their phone.

3. FIDO2 as an authentication method for PIM roles

To allow users to register and use FIDO2 keys see my previous blog.
If you want to go completly passwordless and only use/allow FIDO2 key as an authentication method for users or admins we need to enable the Temporary Access Pass (TAP) first (see bonus section).

4. FIDO2 as authentication strength in Conditional Access

Now let’s start with configuring the FIDO2 key when activation PIM roles.

To ensure that PIM role activation requires the use of a FIDO2 key, we need to create an Authentication Strength policy.

Here’s how:

Go to Microsoft Entra → Protection → Conditional Access → Authentication strengths
Click + New authentication strength
Name it something like: FIDO2 Only - High Privilege
Under Methods, select only FIDO2 Security Key (you could click on advance options and limit the GUID’s by only adding your Fido2key, but we will skip this step for now).

5. Read the warning and click Create

Steps to Configure FIDO Key Requirement for PIM Role Activation (Security admin for example).

1. Create a Conditional Access Policy for FIDO Key Enforcement

To enforce the use of FIDO keys during role activation, configure a Conditional Access Policy as follows:

In the Entra Admin Center, go to Protection> Conditional Access.
Click + New policy and name it (e.g., “Enforce FIDO2Key for Admin Activation or something that’s clear for you”).

3. Create a new Authentication Context to use for the Conditional Access Policy.

Give the authentication context a name that uses some consistency so you know what the relation between the authentication context and strenght is later on, publish it to apps and click Save.

4. Create the Conditional Access policy

Give the policy a name (mine is CA017 – Enforce FIDO2Key for Admin Activation)
Assignments:
- Users or workload identities: Select the Security Administrator or other roles.
- Target resources: Choose All resources.
Conditions (optional):
- Add conditions such as specific (corporate) locations or compliant devices if required.
Access Controls:
- Select Grant, then enable Require authentication strength.
- Choose the FIDO2-Key-High Privilege-Roles
  authentication method that we created earlier.
Turn the policy on and click on Create.

5. Configure the PIM role with the Authentication Context

Navigate to Identity Governance > Privileged Identity Management.
Under Manage, select Microsoft Entra roles and click Roles,
Search and select Security Administrator.

4. Configure PIM Settings for Role Activation

Select the Security Administrator role, then go to Settings and select Edit.

Now we need to configure the role settings.

On activation, require: select Microsoft Entra Conditional Access authentication context and select the Fido2 Authentication context we created before.
Optional: Shorten the Activation maximum duration and or configure Require justification on activation for the auditing and Require approval to activate to use the Four-eyes principle.
Click Update when finished to save the new settings

5. Add Assigments

To start using the role we need to assign it to an admin. Click Add assigments to add the role to an admin.

We now need to select either a user or a group that is eligible for this role.

The next step is selecting if the assigment for role has a end date or not. We will skip that step and Click on Assign to finish the assigment.

Now we can see that the user has been granted the PIM role of Security Administrator and we have the option to update this assigment or remove it if needed.

The user will be notified by email that he has a new role that can be activated. The user can click on the View or activate role to activate the Security Administrator role.

6.How the PIM role works in practice

Role Activation:
When a user attempts to activate the Security Administrator role via PIM, they will be prompted to authenticate using a phishing-resistant MFA method, such as a FIDO2key.
Authentication with FIDO2Key:
The user inserts or taps their FIDO key and authenticates via a PIN or biometric option.
Role Assignment:
Once authenticated, the PIM system grants the user access to the Security Administrator role, subject to any additional approval requirements.

If this is the first time using the Fido2 key the user will need to pair the key like we previously showed here but we already did that step so this is what the admin sees:

and then the activation is finished successfully using the Fido2key requirement for the PIM activation.

Benefits of Requiring the FIDO2-Key for PIM Role Activation

Phishing-Resistant Security: FIDO2 keys eliminate the risk of credential phishing during privileged operations.
Granular Control: Conditional Access ensures that only users meeting specific criteria (e.g., FIDO2 key possession) can activate roles.
Audit and Compliance: Entra PIM maintains logs of role activations, providing traceability for compliance purposes.
User Convenience: Biometric or PIN-based authentication with FIDO keys provides a seamless user experience.

By combining PIM, Conditional Access, and FIDO2 keys, organizations can secure their most sensitive roles against unauthorized access while maintaining ease of use for administrators. Implementing this solution is a critical step toward a zero-trust security framework.

7. Bonus section part 1: Set up Temporary Access Pass (TAP) for onboarding

Why enable a Temporary Access Pass (TAP) first?

This step is crucial: you need MFA to register a FIDO2 key—but if the user doesn’t have any methods configured yet, you’ll be stuck.

To use a FIDO2 key, the user needs to satisfy MFA during the initial registration and that’s where TAP comes in. It acts as a time limited, strong authentication method that lets users onboard their FIDO2 key without needing a password or existing MFA. Think of it as a secure, one-time pass to get everything set up.

Here’s how to enable it:

1. Go to Microsoft Entra → Protection → Authentication methods → Temporary Access Pass

2. Enable the policy and assign it to the same user group as FIDO2

3. Issue a Temporary Access Pass to the user

You can do this under the user profile →
Authentication methods → Add Temporary Access Pass

4. Share the details with the user. After enabling it you will get the TAP details.

5. logon using the TAP details

This pass will allow the user to sign in securely to register their key, without needing any other MFA method.

8. Bonus section part 2: Testing the new sign in experience on a mobile device

You thought the fun was over? Not even close. Let’s really put this FIDO2 key to the test with some mobile action.

Yes, the key isn’t just for desktop sign-ins—it can also be used to log into Microsoft services like Microsoft Teams right from your mobile device. Whether you’re using the mobile browser or the Microsoft Teams app the FIDO2 key can do it all!

And now for the part I couldn’t wait to show you—this key has NFC. Yes, near field communication, the same magical tech that lets you pay for coffee with your phone. And we all know: everything is better with Bluetooth… (and NFC,) right? 😄

So how does this work on an iPhone, for example?

Open Microsoft Teams login page.
Enter your email and you will be prompted to use the Fido2-key..
Choose the security key option and place the key at the NFC reader section on your phone and type in the pincode to login in.
Boom—you’re in. No password. No codes. Just a tap-and-go experience (You can also use this method to satisfy MFA re-authentication if needed.)

This works for other apps that support modern auth too, not just Teams. The important part is: as long as the app or site supports WebAuthn (which Microsoft services do), you’re good to go.

This little key is surprisingly versatile and kind of fun to use.

9. Final thoughts

We’ve now completed the trilogy (Don’t we all love good trilogies? The Dark Knight we’re looking at you 🦇🦇🦇).

So to sum it up:

✅ FIDO2 sign-in enabled
✅ Passwordless login via Windows Hello for Business
✅ Secure, phishing-resistant privileged access using FIDO2 + PIM

This is the kind of security posture that’s not only modern and compliant—but also convenient for your users and sustainable for IT.

Ready to ditch passwords for good? You’re already well on your way.

Stay tuned for more on securing your digital workplace—and as always….until next time on Ouss in the Cloud.

In today’s blog, we’re kicking off our series on FIDO2 key authentication by exploring how to set up FIDO2 hardware key sign-in for Microsoft services. This secure, phishing-resistant multi-factor authentication (MFA) solution not only boosts security but also simplifies the login experience.

1.Introduction

In this day and age protecting access to corporate resources is more crucial than ever. FIDO2 keys offer a simpler, more secure alternative to password-based authentication, eliminating the need for frequent password changes.

In this blog, we’ll guide you through setting up FIDO2 key authentication in Microsoft 365 and show how users can securely access their data.

Because let’s be honest, who hates changing their passwords every month? I know I do!
With a FIDO2 key , we can finally move to a passwordless future and ditch the hassle of remembering and updating passwords.

2. Enable the FIDO2 Authentication method in Microsoft Entra

Prerequisites:

At least an "Authentication Policy Administrator" role
A Microsoft certified Security key (we use the FIDO2 NFC Yubi Key)
Entra joined computers (for Windows Hello for Business)

First things first, before users can take advantage of FIDO2 key authentication you need to enable it as a supported sign-in method in Microsoft Entra.
Follow these steps to get started:

Steps to Enable FIDO2 Key Authentication in Microsoft Entra

Open a browser and go to the Microsoft Entra Admin Center.
Login with an admin account that has at least the Authentication Policy Administrator role.
In the search bar, type in “auth methods”
Select the “auth methods” service

Configure the passkey method

In the list of authentication methods, locate “Passkey (FIDO2)”.

As you can see, the method isn’t enabled yet and needs to be configured. Click on it to start the process.

I recommend starting with a test user group. Once you're confident everything is set up correctly, you can either keep the current group, switch to another group or enable this method for all users.

Now we need to configure the policy, follow:

Enable the Policy
Toggle the policy to Enabled.
Select the Target
Choose whether to apply the policy to all users or specific groups.
Add Groups (If Applicable)
If you selected the group option, click Add groups, choose your desired groups, and click Configure.

These are the settings I used for this scenario. If this is your first time setting up FIDO2 keys, I wouldn’t recommend enabling key restrictions just yet. There are tools available to identify the AAGUID on your FIDO2 keys, but let’s keep things simple for now.

Once you’ve configured the settings to your liking, click Save to enable the FIDO2 key authentication method.

As you can see, the policy is now enabled. This means you can now add this authentication method to a user, allowing them to start using the security key for authentication/passwordless sign-ins.

It can take between 5-45 minutes before the method is available to use. If it doesn't work right away don't panic, it will eventually be available to you.

3.Add the sign-in method for the user

After enabling the FIDO2 authentication method and configuring the security key as a sign-in option for Windows Hello for Business (which we’ll cover in a future blog), the next step is to assign this method to a user who is a member of the FIDO2 Token Group we specified earlier.

Here are the steps to add the sign-in method to a user:

Go to the My Sign-Ins Portal and add sign-in method
- Navigate to My Sign-Ins.
- Sign in with your Microsoft account.
- Once signed in, click on “Add method” at the top of the page.
Select Security Key as the Method
- From the dropdown menu, select “Security key”.

3. Choose the Key Type

Select the type of security key you are using:
- USB Device: For keys that connect via USB.
- NFC Device: For keys that connect wirelessly using NFC.
Our key has both capabilities but we will choose USB device for now.

4. You’ll be prompted to insert the key into the USB port. Once the key is inserted, click Next to begin the pairing process.

You will now be redirected to a new page to set up the passkey.

5. Next, choose where you want to save the key. Select Security key and click Next.

6. You’ll see a couple of confirmation screens from Windows Security. Click OK twice to continue.

7. If you have a new key (and I assume you do), you’ll need to create a PIN for it. Enter a new pin code twice and click OK.

8. This is where the key truly excels. You’ll be prompted to touch the security key. The Y indicator will turn green, signaling that you need to touch it. This adds an extra layer of security, as only someone with physical access to the key can complete this step—making it hacker-proof.

We’re all set! You’ll be asked to give your FIDO2 key a name and to save it.

The authentication method has been successfully added and can now be used across all Microsoft services/

Your preferred authentication method has also been updated to FIDO2, as it offers a more secure option than the Microsoft Authenticator.

4.Test the FIDO2 key method using web logon

Below are the step to test the Fido2 key sign-in method on the Microsoft portal.

Go to a Microsoft Portal page
Select Sign-in options

3. Select the Security key option

4. Select Different Passkey if the system detects a previously saved key, such as a Windows Hello for Business key.

5. Select the security key option

6. If you’re prompted with other options instead of the key, select Use another device and choose Security key, then click Next.

7. Enter your security pin and touch the key to continue.

You’ve now successfully completed your first passwordless sign-in!

5. Conclusion

In conclusion, FIDO2 hardware key sign-in provides a secure, phishing-resistant authentication method while offering a passwordless login option. It enhances security and improves user experience by eliminating the need for complex passwords. Microsoft now recommends against password expiration, as users often forget them or write them down, which can undermine security.
This marks a shift from past practices where expired passwords were seen as more secure and you got extra security score point for it!

In the upcoming parts of this blog series, we’ll dive into configuring Windows Hello for Business to use FIDO2 keys, including how to sign in with this method on mobile devices. Additionally, we’ll explore how to use the FIDO2 key for secure Privileged Identity Management (PIM) role activation. Since this topic is quite detailed and long , we’ve divided it into a three-part series to provide a thorough understanding of each aspect. Stay tuned for part two and three!