While I really like this in theory, unfortunately, because iOS only allows one app to offer PassKeys, this won't work for us. My firm has a BYOD policy, and plenty of our users use their own password solution (e.g. built-in, 1Password, etc) and forcing them to switch to using the MS Auth app is a no go. Hopefully Microsoft works towards allowing other non-MS Auth Passkeys in the near future.
@@StevenMcKenzie-83 I have and it errors out every time I try. Based on what I've read, Microsoft is targeting late 2024 to allow other apps. I could be completely wrong, but right now they only support device bound keys, whereas 1Password would be considered synced keys, which aren't yet supported.
Something to point out is while in this video all security keys except for the two phone ones are blocked, this method does work with other security keys enabled. I suppose if you really want to, you can manually add your vendor's ID, but there is the question of how hard do you really want to make life on yourself? Just stepping up to everything is a security key for authentication is a big step forward in being more secure about how you do things. If you don't want to have to care about the vendor IDs attached to security keys to make things work, you don't have to.
Great video. I'm curious though, does this stop MIM attacks fully? What does it do to stop a user going to a dodgy login page which is relaying the QR image for them to authenticate?
Awesome video. Makes much more sense now how it works. My only question is how do you setup new users who have just started that CA policy will block them right? Or would it go straight to setup page?
@@StevenMcKenzie-83 Ah, I should have included that in the video. You will need to use temporary access passwords as outlined here: learn.microsoft.com/en-us/entra/identity/authentication/howto-authentication-temporary-access-pass
@@bearded365guy so with a new user you give them temporary password and when they sign in it goes straight into passkey registration screen like it would do for MFA
If I have a tenant with a CA Policy that enforces MFA for all Cloud apps. how can I configure to enable also Passkeys because you only can chooese between MFA and Passkeys (or passwordless MFA). should I just create a second CA policy with passkey?
Thanks Jonathan, great video. You didn't cover one particular thing. What happens if you lose the device that has your Passkeys Stored? Phone gets dropped or stolen or left in a taxi after a wild night ?
@@bearded365guy I get that, however if you have your admins only able to use phish resistant login methods it's a decent sized risk. I'd suggest a two pronged approach like passkeys required outside of main office ip but mfa allowed inside office. Pretty secure still. What do you think?
@@bearded365guy I believe as of October Microsoft started enforcing MFA on privileged accounts (which of course the break glass ones are) so perhaps buy yubi keys for those...
@Jonathan Edwards you have to enable MFA to use FIDO, you cannot just setup FIDO and expect it to work. Your setup screen under Authentication Methods shows everything isn't enabled.
@@bearded365guy I have had a lot of uses using the non-legacy MFA and FIDO Passkey options to get my YubiKey's setup. But after fighting with Entra/Intune for a couple of days it started to work. lol
Hello Jonathan, i tried to configure pass key and it is working for cloudapps and login in to the office portal. Is there already a possibility to use this for logging on to a intune joined desktop/laptop ? regards jacco Dominicus
@ okay hope that will come soon. We have customers who would like to have that and not having to get additional hardware. Thanks for the fast response.
This video brilliantly shows us how to generate and store a passkey for an M365 account with Microsoft Authenticator on iOS storing the passkey. I understand that this is dependent on Bluetooth to determine the proximity of the phone to the computer in question. We would like to setup passkeys on Windows desktop machines with no bluetooth and have the passkey stored locally on the desktop computer and secured with Windows Hello. Can anyone guide us on how to do that? I know its supported, as I have a passkey for my own MS 365 account, I just cant seem to go into my MS 365 account settings on other accounts to add one. So I dont even really know where it came from!
I have a question if I may. I have set it up. Went swimmingly. I can login on the computer I configured the passkey to my Android MS Authenticator, but when I try and login elsewhere, and select passkey, it asks me to insert my USB Key! I've tried a few different browsers etc, no luck! I don't think I missed anything, there are two AAGuids in the config.
Fantastic video Jonathan! Once the new passkey account has been added to the Microsoft Authenticator app is it safe to assume the users original account can be removed from the authenticator app?
Thank Jonathan, always look forward to your new videos. I'm currently testing this is my environment and found that if I enable the Conditional Access policy to require the Phishing-Resistant MFA to log in, my Teams and Outlook are not able to sign in anymore. Have you heard about any development for getting mobile log ins into M365 apps working?
@@bearded365guy It's actually Teams and Outlook on Android and iOS devices. The CA policy works fine on desktops. Still trying to troubleshoot but any insight you have would be awesome to hear. 😊
@@kevinbeutler910 Hey Kevin - Im hitting the same snags with the Mobile applications on our Androids. It just doesnt give us the option to use the Passkey in the authentication app.
had no problems with fido 2.1 and windows hello - took a while explaining to most users that this was more secure as doesn't transmit passwords - not sure where to find settings for passkeys in android - well to be more specific samsung android just so I can test so at least the options available if users decide that over mfa - any pointers :-)
Can you use a YubiKey still? Since MS is enforcing MFA on all admin accounts that have access to the Admin Centre I don't really want to put the admin MFA on my phone and would rather use an YubiKey, this way if I am away or leave the company they can still get in.
I did some testing and found that yes you can. Actually, I did it a bit differently than in this video when setting up Conditional Access in that I did not restrict down the key types. That turns out to be unnecessary to make this work, granted you could lock down the key types and then manually add the Yubikey identifier to the list. It can provide you redundant ways to get in. I would be more trusting of the Yubikey, but this method does get rid of the heavily exploited TOTP codes.
When enforcing key restrictions in Entra Id, if I have users already using fido2 keys would I have to restrict for those as well so that they continue to work?
@@techjordan Are they Yubikey’s? Read this - support.yubico.com/hc/en-us/articles/360016648959-YubiKey-Hardware-FIDO2-AAGUIDs. If you remember in the video, I added the iOS and Android AAGUIDs
Great video - thank you for all your content. I'm an Android guy - tried setting this up, believe I have the Passkey registered OK. When I attempt to sign in; I get a 'passkey not found' popup on my phone. I have confirmed that I marked Authenticator as a provider. Anyone else experiencing this issue? - I understand this is still in preview and there may likely be some kinks. Thanks!
@@bearded365guy I mean the feature "Web sign-in for Windows" that gives you an embedded browser window at the Ctrl-Alt-Delete screen to logon with OIDC to Windows.
On android it's working only with Android 14, about 70% of users is excluded. If you want to use it with Windows Hello, what ar eteh AAGUID to add ? Thanks. For Android there is no need to scan everytime the QR code, while for IOS it's always there..a little bit annoying..
Absolutely amazed with your presentation, crisp and complete information!!! Apart from M365 Business Premium licenses, I suppose this feature should also be available for users with E3 licenses, What are your thoughts?
#JonathanEdwards I like your polished helpful content. However, I’m leery of sharing anything with Microsoft. When I do as you suggest @5:23? (e.g. enabling Microsoft Authenticator) Does this share my IOS passwords with Microsoft Authenticator?
Currently trying this and i think the CA policy takes time to kick in... maybe ill give it like 2 hrs but i did try the manual one and it doesnt feel seamless.. yubikeys just might be better but more expensive. EDIT - it works now! 💪
Please stop performing unmarked and misleading advertisements like this. 1. All advertising needs to be clearly marked in all videos. 2. Passkeys don't improve your security, so this advert is misleading from the very first line. Microsoft should be ashamed of themselves for lying like that. Why would you want to promote that trash? Hackers have already circumvented passkey "security".
While I really like this in theory, unfortunately, because iOS only allows one app to offer PassKeys, this won't work for us. My firm has a BYOD policy, and plenty of our users use their own password solution (e.g. built-in, 1Password, etc) and forcing them to switch to using the MS Auth app is a no go. Hopefully Microsoft works towards allowing other non-MS Auth Passkeys in the near future.
@@JamesWimmer you should test it. I believe it does you need need add the app id to passkey in admin center.
@@StevenMcKenzie-83 I have and it errors out every time I try. Based on what I've read, Microsoft is targeting late 2024 to allow other apps. I could be completely wrong, but right now they only support device bound keys, whereas 1Password would be considered synced keys, which aren't yet supported.
I've gotten 1Password to work but it’s very flaky. I wouldn’t give it to my users, yet 😊
@@JamesWimmer Good point. Hopefully Microsoft will sort this.
thanks for this video Jonathan, just tried it on my 365 family subscription, and it works like a charm, need to discuss now with my client's CSO 🙂
Something to point out is while in this video all security keys except for the two phone ones are blocked, this method does work with other security keys enabled. I suppose if you really want to, you can manually add your vendor's ID, but there is the question of how hard do you really want to make life on yourself? Just stepping up to everything is a security key for authentication is a big step forward in being more secure about how you do things. If you don't want to have to care about the vendor IDs attached to security keys to make things work, you don't have to.
Thanks mate, learnt so much in this video
Another terrific video thank you
Simplicity and security is the 🗝
Thank you #bearded365guy !!! 🔥 🚀 💯
Thanks for the video. I set this up as you described but each time I try and sign in it asks me to insert a security key into the USB port. Any ideas?
Great video. I'm curious though, does this stop MIM attacks fully? What does it do to stop a user going to a dodgy login page which is relaying the QR image for them to authenticate?
Fantastic video Jonathan! I really love your work and dedication. Clear, helpful, focused. Please never stop :)
Awesome video. Makes much more sense now how it works. My only question is how do you setup new users who have just started that CA policy will block them right? Or would it go straight to setup page?
@@StevenMcKenzie-83 Ah, I should have included that in the video. You will need to use temporary access passwords as outlined here: learn.microsoft.com/en-us/entra/identity/authentication/howto-authentication-temporary-access-pass
@@bearded365guy so with a new user you give them temporary password and when they sign in it goes straight into passkey registration screen like it would do for MFA
@@StevenMcKenzie-83 Yes, that’s right.
If I have a tenant with a CA Policy that enforces MFA for all Cloud apps. how can I configure to enable also Passkeys because you only can chooese between MFA and Passkeys (or passwordless MFA). should I just create a second CA policy with passkey?
Thanks Jonathan, great video. You didn't cover one particular thing. What happens if you lose the device that has your Passkeys Stored? Phone gets dropped or stolen or left in a taxi after a wild night ?
@@networkn Ring the taxi company 😩 - you can delete a users passkey from the 365 admin centre. I’ll record a video….
@@bearded365guy I get that, however if you have your admins only able to use phish resistant login methods it's a decent sized risk. I'd suggest a two pronged approach like passkeys required outside of main office ip but mfa allowed inside office. Pretty secure still. What do you think?
@@networkn Yes, good idea. But we always have a break glass account for 365 too…. Long long password, no CA, no MFA.
@@bearded365guy I believe as of October Microsoft started enforcing MFA on privileged accounts (which of course the break glass ones are) so perhaps buy yubi keys for those...
@Jonathan Edwards you have to enable MFA to use FIDO, you cannot just setup FIDO and expect it to work. Your setup screen under Authentication Methods shows everything isn't enabled.
MFA was enabled on this test tenant using legacy MFA settings.
@@bearded365guy I have had a lot of uses using the non-legacy MFA and FIDO Passkey options to get my YubiKey's setup. But after fighting with Entra/Intune for a couple of days it started to work. lol
Thank you.
Keep it up.
So, do you have to keep scanning a QR code to sign in or only do that once?
I would presume your biometric would be primary identifier afterwards?
@@britishagent keep scanning…
Hello Jonathan, i tried to configure pass key and it is working for cloudapps and login in to the office portal. Is there already a possibility to use this for logging on to a intune joined desktop/laptop ? regards jacco Dominicus
Not for logon - use Windows Hello for Business.
@ okay hope that will come soon. We have customers who would like to have that and not having to get additional hardware. Thanks for the fast response.
Amazing 🤩🤩🤩 now I need to secure my admin accounts 😅
can i ask if this can still be set up on a hybrid set up?
Yes!
This video brilliantly shows us how to generate and store a passkey for an M365 account with Microsoft Authenticator on iOS storing the passkey. I understand that this is dependent on Bluetooth to determine the proximity of the phone to the computer in question. We would like to setup passkeys on Windows desktop machines with no bluetooth and have the passkey stored locally on the desktop computer and secured with Windows Hello. Can anyone guide us on how to do that? I know its supported, as I have a passkey for my own MS 365 account, I just cant seem to go into my MS 365 account settings on other accounts to add one. So I dont even really know where it came from!
Hi, take a look at this - support.microsoft.com/en-us/windows/save-a-passkey-in-windows-e92cd3e0-11fa-4630-a5ea-3ccc0396b3d9
I am thinking the pc has to be bluetooth compatible for this to work, correct?
@@jaybigboy34 Yes!
I have a question if I may. I have set it up. Went swimmingly. I can login on the computer I configured the passkey to my Android MS Authenticator, but when I try and login elsewhere, and select passkey, it asks me to insert my USB Key! I've tried a few different browsers etc, no luck! I don't think I missed anything, there are two AAGuids in the config.
Fantastic video Jonathan! Once the new passkey account has been added to the Microsoft Authenticator app is it safe to assume the users original account can be removed from the authenticator app?
@@techgroupservices I’ve not tested that yet. I don’t want to say either way 😁
Was going to ask the same question
Thank Jonathan, always look forward to your new videos. I'm currently testing this is my environment and found that if I enable the Conditional Access policy to require the Phishing-Resistant MFA to log in, my Teams and Outlook are not able to sign in anymore. Have you heard about any development for getting mobile log ins into M365 apps working?
@@kevinbeutler910 Are those Teams and Outlook desktop clients?
@@bearded365guy It's actually Teams and Outlook on Android and iOS devices. The CA policy works fine on desktops. Still trying to troubleshoot but any insight you have would be awesome to hear. 😊
@@kevinbeutler910 Hey Kevin - Im hitting the same snags with the Mobile applications on our Androids. It just doesnt give us the option to use the Passkey in the authentication app.
had no problems with fido 2.1 and windows hello - took a while explaining to most users that this was more secure as doesn't transmit passwords - not sure where to find settings for passkeys in android - well to be more specific samsung android just so I can test so at least the options available if users decide that over mfa - any pointers :-)
if you viewed the video, he explains you need to use the ms authenticator app.
Can you use a YubiKey still? Since MS is enforcing MFA on all admin accounts that have access to the Admin Centre I don't really want to put the admin MFA on my phone and would rather use an YubiKey, this way if I am away or leave the company they can still get in.
Yes. We added yubikey as Fido2 Method for our break glass account, to handle the Microsoft mandatory MFA
I did some testing and found that yes you can. Actually, I did it a bit differently than in this video when setting up Conditional Access in that I did not restrict down the key types. That turns out to be unnecessary to make this work, granted you could lock down the key types and then manually add the Yubikey identifier to the list.
It can provide you redundant ways to get in. I would be more trusting of the Yubikey, but this method does get rid of the heavily exploited TOTP codes.
That's great!
Is it possible to validate the credentials via WHfB? By inputting the PIN or fingerprint? Thank you
@@maltbycentre3394 Yes!
Brilliant (and timely) as ever
What would you recommend if we want to set this up but for laptop login with their AD/AAD account?
@@hasher87 you can use Windows Hello
When enforcing key restrictions in Entra Id, if I have users already using fido2 keys would I have to restrict for those as well so that they continue to work?
@@techjordan Are they Yubikey’s? Read this - support.yubico.com/hc/en-us/articles/360016648959-YubiKey-Hardware-FIDO2-AAGUIDs. If you remember in the video, I added the iOS and Android AAGUIDs
@@techjordan Or you could use groups instead of all users.
Hi Johnathan, I've recently discovered your channel and love the content. Will the passkey keep de session alive indefinitely? Thanks in advance
@@jjrscorpion that would depend on the other policies you have in place 👍
Hi Johnathan, thanks for the great video, but I have a question, how do bulk users enable the key feature? Thanks!!
@@pkeonz5300 Hi, not sure I quite understand the question….
Through conditional access policy.
Does enabling the Fido2 security key method stop the 'Security Defaults' company-wide feature from working?
@@ensarguler7684 No, it shouldn’t do.
i wasted so much time to figure this out. went with the default settings and had it fail but after these settings the enrollment started working.
Hey Jonathan , can we add multiple passkeys into the MS Authenticator ?...
@@tiqhubwork Yes, I have 3 in mine.
Hi Jonathan. Great tutorial! What if users switch phone? Can they switch the passkey also?
@@alexjacxsens5134 they can backup their authenticator app.
@@bearded365guy what happen if their personal icloud account got hacked into is that means their passkey also fall into the hacker's hand?
Great video - thank you for all your content. I'm an Android guy - tried setting this up, believe I have the Passkey registered OK. When I attempt to sign in; I get a 'passkey not found' popup on my phone. I have confirmed that I marked Authenticator as a provider. Anyone else experiencing this issue? - I understand this is still in preview and there may likely be some kinks. Thanks!
@@mdoner If you go into your security info in 365, can you see the passkey registered? Which method did you use to register your passkey?
iOS 18 update, iPhone settings to configure: Settings > General > Autofill & Passwords.
Would be cool if this could be used to sign into windows itself.
It really would be cool!
It doesn't work with Web Sign-in for Entra ID joined Windows 11 devices?
@@lee161a Yes, for web sign in. Not to log into Windows PC
@@bearded365guy I mean the feature "Web sign-in for Windows" that gives you an embedded browser window at the Ctrl-Alt-Delete screen to logon with OIDC to Windows.
important side note: Your mobile device needs to run iOS version 17, or Android version 14, or later.
On android it's working only with Android 14, about 70% of users is excluded. If you want to use it with Windows Hello, what ar eteh AAGUID to add ? Thanks. For Android there is no need to scan everytime the QR code, while for IOS it's always there..a little bit annoying..
Absolutely amazed with your presentation, crisp and complete information!!!
Apart from M365 Business Premium licenses, I suppose this feature should also be available for users with E3 licenses,
What are your thoughts?
@@tejasshirgaonkar9608 yes works for anyone with P1 licence
@@tejasshirgaonkar9608 Yes, it will be!
#JonathanEdwards I like your polished helpful content. However, I’m leery of sharing anything with Microsoft. When I do as you suggest @5:23? (e.g. enabling Microsoft Authenticator) Does this share my IOS passwords with Microsoft Authenticator?
@@expensivetechnology9963 No, nothing is shared.
bro, man in the mirror :-) Hilarious little joke in there. Good job !!!
🤣
thanks for the video, i followed all the stesp as explained and when i tried to login i got an error "try again"
@@mohamehima1792 mmm…
Jesus... what a convoluted way for an end user to have to present their passkey when logging in. Leave it to Microsoft!
Currently trying this and i think the CA policy takes time to kick in... maybe ill give it like 2 hrs but i did try the manual one and it doesnt feel seamless.. yubikeys just might be better but more expensive.
EDIT - it works now! 💪
Please stop performing unmarked and misleading advertisements like this.
1. All advertising needs to be clearly marked in all videos.
2. Passkeys don't improve your security, so this advert is misleading from the very first line.
Microsoft should be ashamed of themselves for lying like that. Why would you want to promote that trash?
Hackers have already circumvented passkey "security".
Perhaps you could elaborate….