top of page

Entra: Integrate Passkey registration with your Conditional Access Framework

Writer: Will FrancilletteWill Francillette
Entra passkey registration main image

In this blog we will explore the process of registering Passkeys within a robust Conditional Access framework. This approach is primarily aimed at administrators and in particular those organisations using a separate account for privileged tasks. In this use case the admin account is not permitted to sign in any mobile phone operating systems and must use phishing resistant MFA.


Let's get started!



Table of Contents


The environment

For this blog, we will only use 2 policies:

conditional access policies

1- Passkey test: enforcement

This policy enforce Phishing resistant MFA using the authentication strength as grant control

detail of passkey test: enforcement

2- Passkey test: unsupported platforms

This policy blocks all sign-ins initiated from an device other than Windows.

detail of passkey test: unsupported platforms

For simplicity of this lab I kept the minimal requirement but you could easily requiring compliant device for security info, requiring Entra or hybrid joined devices etc

We will use the new phone approach (link to documentation available in the references) requiring Bluetooth advertising on both devices, our corporate laptop that we use for registering the passkey and the mobile phone with the Authenticator installed to store the passkey. You don't need to pair the mobile phone with the laptop; it only requires Bluetooth to be enabled on both devices. If you are enforcing some restrictions on Bluetooth on your laptop ensure the following are enabled:

detail of bluetooth requirement

Use case 1: New user - first sign-in


Firstly, we will consider a new user: Joni just started at Contoso and has never signed in and have no MFA methods registered.

Joni initial auth method state

At the first sign-in, she will see a prompt for additional information required

sign in 1 - more info required

But as you can see below, she must use MFA to register a Passkey

signin 2 - mfa required

For this we will issue a Temporary Access Password (TAP) so that Joni can register her passkey.

sign in 3 - TAP

We provide Joni with a this TAP and she initiates the sign-in process again.

sign in 4 - enter TAP

Then she selects: Set up passkey using another device

passkey registration 1 - use another device

Then she selects: iPhone, iPad or Android device

passkey registration 2 - mobile phone

She is then presented with a QR code:

passkey registration 3 - QR code

She opens the Authenticator on her mobile phone (Android in this instance) and scan the QR code by pressing the icon on the bottom right hand side


passkey registration 4 - authenticator add

On Android (in my case Samsung) she will be presented with a few screens:

passkey registration5 -google ok

Ensure to choose Save another way as Entra only supports the Authenticator as a vault

passkey registration 6 - choose right vault

Choose the Authenticator

passkey registration 7 - choose authenticator vault

After ensuring the Authenticator is selected, she press create

passkey registration 8 - create passkey

She receives a notification on the laptop that the passkey is created

passkey registration 10 - passkey creation confirmation

The passkey is also available in the Authenticator

passkey registration 11 - authenticator passkey

She give the passkey a meaningful name

passkey registration 12 - name passkey

And voila!

passkey registration 13 - success

If you are experiencing the following error message

passkey registration 14 -error

No worries, go through the process again but this time scan the QR code directly from your passkey on the authenticator pressing the QR code icon

passkey registration 15 - authenticator rescan

Joni is now able to log in with a passkey and she never had to sign into the Authenticator and only used her corporate laptop to register it.


Use case 2: Existing user - adding a security info

In this case we will look at Grady, he already has access to his security information but wants to use passkey instead and embark to the passwordless world 😁🥷

Grady initial state
add sign -in method

Then he selects Passkey in Microsoft Authenticator

add passkey

Because Grady can't authenticate on his mobile phone (do you remember, we have blocked all device types other than Windows using Conditional Access) he needs to select Having trouble?

select having trouble

And then create your passkey a different way

select a different device

He select his operating system

select android

Then continue until he is presented with a QR code

android step 1
android step 2

android QR code

From here the process is the same as previously shown in the Use case 1


Conclusion

In this blog, I wanted to demonstrate that you can register passkey without enabling sign-in from the Authenticator on unmanaged devices. Excluding the authenticator from Conditional Access is not an easy task, I actually wasn't able to do so even using a security filter and registering the Service Principal for the Microsoft Authenticator and tagging both the Microsoft Authenticator and the Microsoft Graph (investigating the sign-in logs show that both apps are used in the process). If anyone was able to do so please let me know on LinkedIn 📖💡

I'm not a fan of the user experience and the options are confusing at times, especially registering passkey from the security information page, but knowing how Microsoft is always eager to improve user experience and gathering feedback, I have no doubt this will be improved in the future.

As always I hope this helps, and keep posted for the next blog.

Thanks for reading!


References


 
Will

I am DevSecOps Lead and Solution Architect at Threatscape specialised in M365 and Azure security offering.

I love learning, blogging and coding. My interests are very diverse and span across architecture, security, cloud engineering, automation, DevOps and PowerShell.

I own as of today 17x (and counting) Microsoft certifications and have worked in IT across multiple and diverse industries for over 15 years.




Comments


French 365 Connection

  • alt.text.label.LinkedIn
  • alt.text.label.Twitter
  • alt.text.link.github

©2022 by French365Connection.

bottom of page