YubiKeys for Microsoft Entra ID Passwordless Sign In Guide


Introduction

Microsoft allows organizations to enable FIDO2 Security Keys as a passwordless authentication factor. By utilizing Microsoft Passwordless Login flows, organizations may realize the following benefits:

 

  • Strong security - improved protection against phishing, man-in-the-middle, and password spray attacks
  • Improved user experience - end users no longer have to deal with long, complex, and rotating passwords
  • Reduced costs - minimize password-related help desk tickets that account for a large percentage of IT help desk resources.

Microsoft’s Passwordless sign-in with YubiKeys applies to the following scenarios:

 

  1. Entra ID Active Directory web applications
  2. Entra ID Active Directory joined Windows 10/11 devices (Windows 10 1909 and later)
  3. Hybrid Entra ID Active Directory joined Windows 10/11 devices (Windows 10 2004 and later)

The chart below indicates where the YubiKey works with Entra ID Passwordless (FIDO2). This assumes the current versions of operating systems and browsers.

 

 

Chrome/Edge browsers

Safari

MS 365 native apps

Device sign in

Windows Entra ID AD joined

Yes

 

Yes

Yes

Windows Hybrid Entra ID AD joined

Yes

 

Yes

Yes

Windows AD joined

Yes

 

Yes

No

Windows non-AD joined

Yes

 

Yes

No

MacOS

Yes

Yes

Yes

No

Linux

Yes

 

No

No

Android

Yes

 

No

No

iPhone

Yes

Yes

Yes

No

iPad

Yes

Yes

Yes

No

ChromeOS

Yes

 

No

No

 

For more details on Entra ID AD Passwordless support please see Microsoft's documentation here Browser support of FIDO2 passwordless authentication.

 

The documents attached below serve as a guide for organizations looking to configure and deploy Microsoft’s Passwordless Sign-in for Entra ID AD. More information about the Microsoft + Yubico partnership can be found here.

 

Getting Additional Help

For more information, and to get help with your YubiKeys, see the following guides (updated June 2023):