Microsoft has released Synced Passkeys for public-preview, and I’m going to show you how to configure it, but first we need to understand what a passkey is? A passkey is a password-less identification token provided by an Identify provider (IdP), generally in the form of biometrics and a backup pin. In Microsoft Entra, the passkey is device bound, meaning a new passkey is required for accessing Microsoft services on different devices. A Synced Passkey solves this problem by storing the key in the cloud with your Microsoft account, essentially becoming identity bound.
Step 1: Opt-in to public preview
First you need to opt-in to public preview by clicking the hyperlink in the banner under Passkey (FIDO2) settings.
Open https://entra.microsoft.com/ – under Entra ID in the left nav pane, select Authentication methods > Under Manage, select Policies > under method, select Passkey (FIDO2)
Step 2: Edit the default passkey profile
If you don’t have passkeys enabled on your tenant, then you will be prompted to edit the default passkey profile. Select Edit default passkey profile
For now, select Enforce attestation which will auto select Device-bound as the target type and hit save. We will configure synced passkeys on a different profile.
Step 3: Enable Passkeys (If not already enabled)
Under Passkey (FIDO2) settings, Toggle the enable button to On and hit save.
Step 4: Create a synced profile
Select the Configure tab and then select, add profile (preview). Fill in the profile settings and then hit save.
Notice that enforce attestation is not selected; this setting is not compatible with synced passkeys because synced passkeys don’t require the authenticity verified from a hardware authenticator, as an example. You can ignore the warning banner at the bottom of the above image which appears when enforce attestation is not enabled.
The target specific AAGUIDs setting is optional; you can use this setting to allow or block other passkey/IdP providers like OKTA or Google. Uncheck this option; it’s not required for this tutorial.
Step 5: Target the profile
The final step in Entra is to target the sync profile to a group of users. In this example, I target helpdesk agents and added my account into that group.
Step 6: Add passkey as a sign-in method
Browse to My Sign-Ins | Security Info | Microsoft.com and click add sign-in method. Select Passkey and go through the various options available to you. In my case, I choose to create a passkey using a different device so I can use biometrics from my android phone rather than the device I’m currently using.
Step 7: Enjoy
In a modern workplace where there’s a lot of hotdesking, shared computers on a warehouse floor or you’re a techie like me who has too many gadgets, Synced Passkeys is a game changer.
If you enjoyed my blog, please subscribe to get emailed when I release more.
Leave a Reply