Azure AD Passwordless Sign-In with FIDO2 Security Keys

In this post I want to show you, how to use the Azure AD passwordless sign-in with FIDO2 security keys, such as Yubikeys.

Passwordless Authentication: Secure and Convenient
When using Yubikeys, make sure you are using a Yubikey 5, as Yubikey 4 only supports FIDO U2F, which is not supported for passwordless sign-in.

Go to the Azure AD Authentication methods blade in the Azure Portal and enable FIDO2 Security Key. Make sure to disable Enforce attestation, otherwise you would need to add the AAGUID of your Yubikey to the Key Restriction Policy.

Authentication Methods in the Azure Portal

To let your users register their security key on their own, you need to enable the new security experience in the Azure Portal.

Self-Service Security Key Registration is currently in Preview

Once the new security experience is enabled, your users can access the Security Info part of and register their security key.

Your users can now sign-in passwordless with their FIDO2 security key.

Passwordless Authentication with a Yubikey 5

Leave a Comment