Phishing-Resistant Authentication for cloud native environments with Azure AD using FIDO2

Overview and Introduction

The following guide describes how to set up Azure Active Directory (AAD) to use FIDO2 security keys for strong phishing-resistant authentication. A brief description of an environment using FIDO2 will be followed by details relating to the applicable use cases, and finally detailed instructions on how to ultimately implement phishing-resistant authentication. It is important to note that other forms of authentication are considered out of scope for the purposes of this guide, and the focus will instead be on FIDO2 only. Other authentication methods that support FIDO2 onboarding and/or recovery will be mentioned, but it should be made clear that those methods will not be the focus of this guide. A description of FIDO2 and related terminology can be found here.


Figure 1. Phishing-Resistant Authentication for cloud native environments with Azure AD using FIDO2


Figure 1. (above) depicts the relationships between the major components in a cloud native environment using AAD as the only identity provider, and where FIDO2 security keys are used for authentication. While both user information and lifecycle may be managed by another source such as a Human Resources Management System (HRMS) system using System for Cross-domain Identity Management (SCIM), AAD is the only source of identity in this cloud native environment.

It is important to note that different device types and management states offer support for different scenarios with FIDO2 security keys. For example, both non-joined and AAD joined workstations support FIDO2 security sign-in, but not for the same use cases. Windows, macOS and Linux also have varying support for when FIDO2 security keys can be used. Please see the "Supported use cases" and "Where supported" sections (below) for more details.


Registration of FIDO2 security keys

In the depicted scenario, the user is responsible for registration of their own FIDO2 security keys (i.e. self-registration). Registration involves the user first signing into My Account and navigating to the security info portal with an alternate authentication method that satisfies AAD's multi-factor authentication requirements. Enterprises may opt to make these MFA requirements stricter to include only those that are phishing-resistant, but sign-in with at least basic multi-factor authentication is a minimum requirement before a user is able to register a new FIDO2 security key. For example, most organizations will either use Certificate-based authentication (CBA), Temporary Access Pass (TAP) or Username + Password + One-time Password (OTP) to meet those MFA requirements.


with FIDO2 security keys

Users may leverage FIDO2 security keys to sign-in to many different systems and on many different platforms. Authentication is centralized with AAD and users' registered security keys will work across a wide range of workstation and application sign-in scenarios, including sign-in to their Windows AAD joined workstations for both online and offline scenarios. Once signed in to their Windows workstations, users may sign-in to applications including web applications, first party Microsoft productivity applications, or other AAD protected custom and third party apps. Other platforms like macOS, Google Chromebooks and Linux also support sign-in to web applications.


Policy driven enforcement

Enterprises may enforce the use of FIDO2 security keys using Conditional Access (CA) with Authentication Strengths. This feature allows enterprises to require FIDO2 security keys on all devices and platforms that support it while also having flexibility to allow alternate authentication methods or simply block access for other scenarios that don't support FIDO2 authentication. These policies are an important tool that allow enterprises to support initial registration of FIDO2 credentials with alternate methods while preventing those non-FIDO2 methods from being used in any other scenario.

Section Supported use-cases of this document below, will provide additional context for how FIDO2 is used, as seen in Figure 1. (above).


Some of the acronyms and key terms used throughout the guide are defined in the glossary table below, to help provide clarity and context.





Azure Active Directory


Active Directory

AD FS Active Directory Federation Services
CA Conditional Access
FIDO2 Fast IDentity Online version 2
HRMS Human Resources Management System
NFC Near Field Communication
OTP One-Time Password
RP Relying Party

Temporary Access Pass


Universal Serial Bus


Supported use cases

  • Sign-in to Azure Active Directory protected native applications
  • Sign-in to Azure Active Directory protected web applications
  • Sign-in to Azure Active Directory joined Windows 10 & 11 workstations
  • Sign-on to Azure Active Directory protected Azure Virtual Desktop sessions
  • Remote sign-in to Azure Active Directory joined Windows 10 & 11 desktop sessions
  • Remote sign-in to Azure Active Directory joined AVD Session Hosts


Where supported

This matrix represents where FIDO2 sign-in is supported for the target-state architecture depicted above.

Edge, Safari
MS 365
IWA Apps (File
Databases, etc) 
sign in
Desktop and
Azure Virtual
Windows Azure AD joined Yes Yes Not Applicable Yes Yes
Windows Hybrid Azure AD joined Not Applicable Not Applicable Not Applicable Not Applicable Not Applicable
Windows AD joined Not Applicable Not Applicable Not Applicable Not Applicable Not Applicable
Windows non domain joined Yes Yes Not Applicable No Yes
MacOS Yes No Not Applicable No Yes
*AVD Only 
Android No No Not Applicable No No
iPhone Yes No Not Applicable No No
iPad Yes No Not Applicable No No
ChromeOS Yes No Not Applicable No Yes
*AVD Only


Prerequisites and Requirements

Azure AD FIDO2 Passwordless Requirements

  • Office 365 or Azure AD free tier or greater.
  • Supported FIDO2 security keys
  • Windows 10 v1903+ for Windows sign-in support
  • Supported browser


Deployment Guidance

Below are the step-by-step instructions to assist the setup and deployment of Azure AD FIDO2 Passwordless, in addition to helpful supplemental guides for additional reading. Finally, a troubleshooting section can also be found below, outlining common and known issues that may be encountered during implementation or setup. In the event these materials still do not provide enough information, please contact our helpful Yubico Support team for additional guidance, or Yubico Sales team for assistance with purchasing YubiKeys and other Yubico devices.


Step-by-step instructions

These are the high-level steps for enabling FIDO2 security keys. Please see the Supplemental Guides for more detailed information. Note that attestation information is only collected during initial registration, so if there is any possibility that attestation information will be required in the future for compliance reasons, it’s highly recommended that attestation is enforced before any wide rollout of security keys.

  1. Sign-in to the Azure portal
  2. Enable FIDO2 security keys as an Authentication Method
    1. Enable self-service setup
    2. Enforce attestation (Recommended)
    3. Enforce key restrictions (Optional)


Supplemental Guides





For information on how to best utilize FIDO2 security keys once it is enabled, the additional resources below are available. Firstly, some best practice guides to help ensure both optimal deployment and maximum solution effectiveness. Next, some optional transition guidance to help migrate from one solution to one or more alternative deployments. And finally, some commonly asked questions and answers that may have not already been covered within the supplemental guides or troubleshooting sections.
Remember to enquire about our Professional Services team if hands-on or specific deployment assistance is required, and Yubico will gladly send one or more of our best people to help with your specific implementation!

Best Practices

YubiKey Lifecycle Management Best Practices with Microsoft Azure AD Passwordless


Common Questions

Yubico FAQ