In this post I want to show you, how to use the Azure AD passwordless sign-in with FIDO2 security keys, such as Yubikeys.
When using Yubikeys, make sure you are using a Yubikey 5, as Yubikey 4 only supports FIDO U2F, which is not supported for passwordless sign-in.
Go to the Azure AD Authentication methods blade in the Azure Portal and enable FIDO2 Security Key. Make sure to disable Enforce attestation, otherwise you would need to add the AAGUID of your Yubikey to the Key Restriction Policy.
To let your users register their security key on their own, you need to enable the new security experience in the Azure Portal.
Once the new security experience is enabled, your users can access the Security Info part of mysignins.microsoft.com and register their security key.
Your users can now sign-in passwordless with their FIDO2 security key.