Entra: Integrate Passkey registration with your Conditional Access Framework
- Will Francillette
- Mar 9
- 4 min read
In this blog we will explore the process of registering Passkeys within a robust Conditional Access framework. This approach is primarily aimed at administrators and in particular those organisations using a separate account for privileged tasks. In this use case the admin account is not permitted to sign in any mobile phone operating systems and must use phishing resistant MFA.
Let's get started!
Table of Contents
The environment
For this blog, we will only use 2 policies:
1- Passkey test: enforcement
This policy enforce Phishing resistant MFA using the authentication strength as grant control
2- Passkey test: unsupported platforms
This policy blocks all sign-ins initiated from an device other than Windows.
For simplicity of this lab I kept the minimal requirement but you could easily requiring compliant device for security info, requiring Entra or hybrid joined devices etc
We will use the new phone approach (link to documentation available in the references) requiring Bluetooth advertising on both devices, our corporate laptop that we use for registering the passkey and the mobile phone with the Authenticator installed to store the passkey. You don't need to pair the mobile phone with the laptop; it only requires Bluetooth to be enabled on both devices. If you are enforcing some restrictions on Bluetooth on your laptop ensure the following are enabled:
Use case 1: New user - first sign-in
Firstly, we will consider a new user: Joni just started at Contoso and has never signed in and have no MFA methods registered.
At the first sign-in, she will see a prompt for additional information required
But as you can see below, she must use MFA to register a Passkey
For this we will issue a Temporary Access Password (TAP) so that Joni can register her passkey.
We provide Joni with a this TAP and she initiates the sign-in process again.
Then she selects: Set up passkey using another device
Then she selects: iPhone, iPad or Android device
She is then presented with a QR code:
She opens the Authenticator on her mobile phone (Android in this instance) and scan the QR code by pressing the icon on the bottom right hand side
On Android (in my case Samsung) she will be presented with a few screens:
Ensure to choose Save another way as Entra only supports the Authenticator as a vault
Choose the Authenticator
After ensuring the Authenticator is selected, she press create
She receives a notification on the laptop that the passkey is created
The passkey is also available in the Authenticator
She give the passkey a meaningful name
And voila!
If you are experiencing the following error message
No worries, go through the process again but this time scan the QR code directly from your passkey on the authenticator pressing the QR code icon
Joni is now able to log in with a passkey and she never had to sign into the Authenticator and only used her corporate laptop to register it.
Use case 2: Existing user - adding a security info
In this case we will look at Grady, he already has access to his security information but wants to use passkey instead and embark to the passwordless world 😁🥷
He navigates to https://aka.ms/mysecurityinfo
Then he selects Passkey in Microsoft Authenticator
Because Grady can't authenticate on his mobile phone (do you remember, we have blocked all device types other than Windows using Conditional Access) he needs to select Having trouble?
And then create your passkey a different way
He select his operating system
Then continue until he is presented with a QR code
From here the process is the same as previously shown in the Use case 1
Conclusion
In this blog, I wanted to demonstrate that you can register passkey without enabling sign-in from the Authenticator on unmanaged devices. Excluding the authenticator from Conditional Access is not an easy task, I actually wasn't able to do so even using a security filter and registering the Service Principal for the Microsoft Authenticator and tagging both the Microsoft Authenticator and the Microsoft Graph (investigating the sign-in logs show that both apps are used in the process). If anyone was able to do so please let me know on LinkedIn 📖💡
I'm not a fan of the user experience and the options are confusing at times, especially registering passkey from the security information page, but knowing how Microsoft is always eager to improve user experience and gathering feedback, I have no doubt this will be improved in the future.
As always I hope this helps, and keep posted for the next blog.
Thanks for reading!
References
About William Francillette:
I am DevSecOps Lead and Solution Architect at Threatscape specialised in M365 and Azure security offering.
I love learning, blogging and coding. My interests are very diverse and span across architecture, security, cloud engineering, automation, DevOps and PowerShell.
I own as of today 17x (and counting) Microsoft certifications and have worked in IT across multiple and diverse industries for over 15 years.
Comments