Passkeys are a technology for logging into websites and applications without a password using a private and public key pair. The server does not store any critical data that could be stolen and the passkey is also tied to a device. M365 now supports this method as well.
When users register a passkey for a website, the client stores the associated private key locally or on another device, such as a smartphone or FIDO2 key. The server receives the associated public key and a credential ID, both of which it associates with the user name.
If a user then logs into the website or app in question, the local device requests a randomly generated string from the server, which it encodes with the private key and sends back to the server. The server decrypts the challenge with the public key and checks its correctness.
Users must therefore prove that they are in possession of a device on which the private key is stored. This is usually protected by a PIN or biometric methods such as facial recognition or fingerprint.
Microsoft 365 now also supports signing in with device-bound passkeys. The feature is currently still in public preview.
Configure Microsoft 365 for passkeys
To use the new sign-in feature, you must activate it for the respective subscription in the Microsoft Entra Admin Center . There, go to Protection => Authentication Methods. Fido2 Security Key should be activated here .
Enable FIDO2 security key for Microsoft 365 or Entra ID
To do this, click on the link and you can then adjust this login method. This includes enabling this feature, either for all users or only for certain groups. You can also find several settings on the Configure tab . Here you set Force verification to No.
To use passkeys, you should enable the Enforce key restrictions option under Key restriction policy and check the Microsoft Authenticator option. Under Restrict specific keys, select the Allow option .
It only allows the authentication of the Authenticator Attestation GUID (AAGUID) listed at the bottom of the window. Blocking blocks the added AAGUID and allows all others (blacklisting).
Adjusting FIDO2 Security Key Settings in the Entra Admin Center
If you activate Microsoft Authenticator , the AAGUIDs for the Microsoft Authenticator app on iOS and iPadOS (90a3ccdf-635c-4729-a248-9b709135078f) and Android (de1e552d-db1d-4423-a619-566b625cdc84) are automatically added.
However , by selecting Allow, Entra ID blocks all other apps. If you use other FIDO2 security keys, you must enter their AAGUIDs here.
In practice, the AAGUID is transmitted to the server during the FIDO2 key registration process, giving it the ability to verify the authenticity and integrity of the authenticator. This ensures that only trusted devices are used for authentication.
Register passkeys in iOS
To register to use passkeys, users first go to https://aka.ms/mysecurityinfo . After logging in, select the option “Passkey in Microsoft Authenticator ” under Add Sign-in Method .
Add passkey authentication for an account in Entra ID
You then need to confirm the change with a current authentication. To do this, you need an iPhone or an Android smartphone with the latest version of the Microsoft Authenticator app. If you have this to hand, click Next in the setup window .
Confirming Passkey Authentication in Entra ID
The assistant will now ask whether you are using an Android device or an iOS device and then the assistant will display the necessary steps on the device. In iOS, the settings Autofill passwords and passkeys and Authenticator must be activated in the smartphone settings under Passwords => Password options .
Enable Microsoft Authenticator for autofill and use of passkeys in iOS
You will then be prompted to open the camera app on your device and scan the QR code displayed in the next window. This will link the authenticator app to Microsoft 365. You can also use a custom name for the passkey here.
Under security information, the master key Microsoft Authenticator is then shown as the stored authentication method.
Passkey authentication successfully added in Microsoft 365 or Entra ID
From now on, users can select passkey login and Microsoft Authenticator on devices.
Cross-device login with Windows and macOS
If device-based authentication is activated, it can generally be used across devices. This is not a contradiction, because all devices involved must be owned by the respective user. A smartphone can then be used, for example, to log in to a PC’s web browser.
To do this, the user clicks on the link Use your face, fingerprint, PIN or security key instead in the login window . The dialog then displays the option Use a different device , among others .
Sign in to a Microsoft 365 account on Windows with a passkey
After selecting an iPhone, iPad or Android device, a QR code appears, which you scan again with your smartphone. You then log in using Microsoft Authenticator.
system requirements on the clients
To use device-bound passkeys in Microsoft 365, users should be running at least Android 14 or iOS 17 and use the latest version of the Microsoft Authenticator app.
In the iOS settings, under Passwords => Password options, the Microsoft Authenticator should be activated for auto-fill. The same applies to Android after the Microsoft Authenticator has been added as an additional provider.
In iOS, only one other provider can be activated for autofill besides iCloud Keychain.
Summary
Passkeys allow secure authentication without a password and are also tied to a specific device. This method is becoming increasingly popular and is supported by most major Internet services, including Microsoft 365.
After activating and customizing the feature in Entra ID, the Authenticator app acts as a client on the mobile devices. This can then log in to M365 directly on the device. Alternatively, it also allows authentication on other devices of the user.
