Azure AD – End user FIDO Security key sign-in and experience

Since I’ve been doing vlogs in my Youtube Channel for the past 10 months, it’s been a while since I last blogged. Today, I made the decision to blog about the procedures for using the Office 365 Apps’ password-free FIDO secure sign-in.

Today we will take a look at how to setup the Passwordless sign-in via FIDO Key from the end user perspective.

In this example we are going to use Fietian FIDO2 certified key in this demo. You can take a look at their products from their website

You can also take a look at the available FIDO key security providers and Fietian is one of them in the Microsoft Docs website

Purchasing from Microsoft website gave me 15 percent discount for an invite and was finally 20 Euros to protect my Wife’s login for her PC and finally she can be relieved from entering the password for her work.

You can check the FIDO version by using this tool handy which is useful

A similar screen shot like below would appear when you plugin the security key on your laptop and run the utility as administrator on Windows

FIDO keys Works out-of-the-box with operating systems and browsers including Windows, macOS, Chrome OS, Linux, Chrome, and Edge. The Fietian also works the same way like other products and recommended by Microsoft in their supported list of keys.

For setting up the BIO Key we need to enable the FIDO2 security key in the Authentication methods policies via Azure portal
We could target them for groups which is a good idea.

Furthermore in the configure part we have these options that could be set based on your requirement

Allow self-service set up should remain set to Yes. If set to no, your users won’t be able to register a FIDO key through the MySecurityInfo portal, even if enabled by Authentication Methods policy.

You can take a look at the additional prerequisite with steps in this video which was published few weeks ago.

Once the user gets the FIDO key first and foremost thing is to login to the

Use the option add sign in method and select the option security key

Post logging in we will be directed to security key setup to the common endpoint

In the next step we could see that it provides us the information that Microsoft will validate the make and model of our security key. This is to make sure the security key is in their supported list and post validating that it creates a credential which will allow to sign in without typing username.

In the next screen we will be prompted for entering a security key PIN

Later it will ask us to register our biometric and register our identity via this security key to the Microsoft Cloud

As a last step we will be prompted to enter the name for this key for our verification on our portal when we sign in to

Doing above steps by an end user registers the security key with that particular user account. The FIDO2 alliance specification requires each security key provider to provide an Authenticator Attestation GUID (AAGUID) during attestation. An AAGUID is a 128-bit identifier indicating the key type, such as the make and model.

Now we have successfully setup the Passwordless method for this account. How do we verify this well from the admin side yes we have the option to validate this from the use registration details part on the Authentication methods section.

Finally when the user attempts to login lets say they will be prompted with the option to sign in Passwordless like below (use the option use security key)

Post selecting the option user will be challenged with the pin to enter and then use the biometric to complete his sign in.

The user will be logged in finally.

There are also ways to check if the user has logged in via password less which I have mentioned on this video

Overall I would say Passwordless authentication is really a good option and can increase the security posture in many ways especially in a shared PC environment. Also it simplifies the user login experience without passwords and with strong security for your cloud as well as on premise resources . Each organization can come up with different personas for securing their credentials and you can classify them and choose the right one based on the table defined on this Microsoft article

This equips the end user with the power of Passwordless cloud authentication without the need of any additional extra investments and utilizing the Microsoft Azure itself to provide this fantastic feature to the end user.

Few take aways:

  1. Make sure you choose the right FIDO security Keys for Azure. You can find them here .
  2. Just in case if you want to remove the FIDO key from the account you can simply remove them from the security info page
  3. The private keys kept on FIDO2 security keys are shielded by secure enclaves. A FIDO2 security key also contains built-in anti-hammering features, similar to Windows Hello, where the private key cannot be extracted.
  4. There is no method for admins to provision the FIDO keys for end users. This registration process has to be done by the each end users who want to utilize this method of security sign in.
  5. If you want to extend this Passwordless sign-in to onprem application the Azure AD kerberos needs to be extended to On premise by creating a RODC object. Take a look at those detailed steps in this video.
  6. While registering the FIDO key never use the Incognito mode as it will not be able to fetch the private key from the FIDO key.


Sathish Veerapandian

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: