Not all authentication is created
equal
One key for many applications
Proven at
scale at Google
Secure
remote workers with
YubiEnterprise Delivery
New to
YubiKeys? Try a multi-key
experience pack
Strong
authentication for remote
workers
YubiKey +
Microsoft. Defense against
account takeovers.
White paper: Passwordless
essentials
for the enterprise
White Paper: Emerging Technology Horizon for Information Security
Yubico for
Free Speech: Don’t be
silent. Don’t be silenced.
At Yubico, people come first. Join our
global mission
Overview and Introduction
The following guide describes how to set up Azure Active Directory (AAD) to use FIDO2 security keys for strong phishing-resistant authentication. A brief description of an environment using FIDO2 will be followed by details relating to the applicable use cases, and finally detailed instructions on how to ultimately implement phishing-resistant authentication. It is important to note that other forms of authentication are considered out of scope for the purposes of this guide, and the focus will instead be on FIDO2 only. Other authentication methods that support FIDO2 onboarding and/or recovery will be mentioned, but it should be made clear that those methods will not be the focus of this guide. A description of FIDO2 and related terminology can be found here.
Figure 1. Phishing-Resistant Authentication for cloud native environments with Azure AD using FIDO2
Figure 1. (above) depicts the relationships between the major components in a cloud native environment using AAD as the only identity provider, and where FIDO2 security keys are used for authentication. While both user information and lifecycle may be managed by another source such as a Human Resources Management System (HRMS) system using System for Cross-domain Identity Management (SCIM), AAD is the only source of identity in this cloud native environment.
It is important to note that different device types and management states offer support for different scenarios with FIDO2 security keys. For example, both non-joined and AAD joined workstations support FIDO2 security sign-in, but not for the same use cases. Windows, macOS and Linux also have varying support for when FIDO2 security keys can be used. Please see the "Supported use cases" and "Where supported" sections (below) for more details.
Registration of FIDO2 security keys
In the depicted scenario, the user is responsible for registration of their own FIDO2 security keys (i.e. self-registration). Registration involves the user first signing into My Account and navigating to the security info portal with an alternate authentication method that satisfies AAD's multi-factor authentication requirements. Enterprises may opt to make these MFA requirements stricter to include only those that are phishing-resistant, but sign-in with at least basic multi-factor authentication is a minimum requirement before a user is able to register a new FIDO2 security key. For example, most organizations will either use Certificate-based authentication (CBA), Temporary Access Pass (TAP) or Username + Password + One-time Password (OTP) to meet those MFA requirements.
Sign-in with FIDO2 security keys
Users may leverage FIDO2 security keys to sign-in to many different systems and on many different platforms. Authentication is centralized with AAD and users' registered security keys will work across a wide range of workstation and application sign-in scenarios, including sign-in to their Windows AAD joined workstations for both online and offline scenarios. Once signed in to their Windows workstations, users may sign-in to applications including web applications, first party Microsoft productivity applications, or other AAD protected custom and third party apps. Other platforms like macOS, Google Chromebooks and Linux also support sign-in to web applications.
Policy driven enforcement
Enterprises may enforce the use of FIDO2 security keys using Conditional Access (CA) with Authentication Strengths. This feature allows enterprises to require FIDO2 security keys on all devices and platforms that support it while also having flexibility to allow alternate authentication methods or simply block access for other scenarios that don't support FIDO2 authentication. These policies are an important tool that allow enterprises to support initial registration of FIDO2 credentials with alternate methods while preventing those non-FIDO2 methods from being used in any other scenario.
Section Supported use-cases of this document below, will provide additional context for how FIDO2 is used, as seen in Figure 1. (above).
Some of the acronyms and key terms used throughout the guide are defined in the glossary table below, to help provide clarity and context.
|
Term |
Definition |
|
AAD |
Azure Active Directory |
|
AD |
Active Directory |
| AD FS | Active Directory Federation Services |
| CA | Conditional Access |
| FIDO2 | Fast IDentity Online version 2 |
| HRMS | Human Resources Management System |
| NFC | Near Field Communication |
| OTP | One-Time Password |
| RP | Relying Party |
| TAP |
Temporary Access Pass |
| USB |
Universal Serial Bus |
Supported use cases
- Sign-in to Azure Active Directory protected native applications
- Sign-in to Azure Active Directory protected web applications
- Sign-in to Azure Active Directory joined Windows 10 & 11 workstations
- Sign-on to Azure Active Directory protected Azure Virtual Desktop sessions
- Remote sign-in to Azure Active Directory joined Windows 10 & 11 desktop sessions
- Remote sign-in to Azure Active Directory joined AVD Session Hosts
Where supported
This matrix represents where FIDO2 sign-in is supported for the target-state architecture depicted above.
| Chrome, Edge, Safari browsers |
MS 365 native apps |
IWA Apps (File Sharing, Databases, etc) |
Device sign in |
Remote Desktop and Azure Virtual Desktop |
|
| Windows Azure AD joined | Yes | Yes | Not Applicable | Yes | Yes |
| Windows Hybrid Azure AD joined | Not Applicable | Not Applicable | Not Applicable | Not Applicable | Not Applicable |
| Windows AD joined | Not Applicable | Not Applicable | Not Applicable | Not Applicable | Not Applicable |
| Windows non domain joined | Yes | Yes | Not Applicable | No | Yes |
| MacOS | Yes | No | Not Applicable | No | Yes *AVD Only |
| Android | No | No | Not Applicable | No | No |
| iPhone | Yes | No | Not Applicable | No | No |
| iPad | Yes | No | Not Applicable | No | No |
| ChromeOS | Yes | No | Not Applicable | No | Yes *AVD Only |
Prerequisites and Requirements
Azure AD FIDO2 Passwordless Requirements
- Office 365 or Azure AD free tier or greater.
- Supported FIDO2 security keys
- Windows 10 v1903+ for Windows sign-in support
- Supported browser
Deployment Guidance
Below are the step-by-step instructions to assist the setup and deployment of Azure AD FIDO2 Passwordless, in addition to helpful supplemental guides for additional reading. Finally, a troubleshooting section can also be found below, outlining common and known issues that may be encountered during implementation or setup. In the event these materials still do not provide enough information, please contact our helpful Yubico Support team for additional guidance, or Yubico Sales team for assistance with purchasing YubiKeys and other Yubico devices.
Step-by-step instructions
These are the high-level steps for enabling FIDO2 security keys. Please see the Supplemental Guides for more detailed information. Note that attestation information is only collected during initial registration, so if there is any possibility that attestation information will be required in the future for compliance reasons, it’s highly recommended that attestation is enforced before any wide rollout of security keys.
- Sign-in to the Azure portal
- Enable FIDO2 security keys as an Authentication Method
- Enable self-service setup
- Enforce attestation (Recommended)
- Enforce key restrictions (Optional)
Supplemental Guides
- YubiKeys for Microsoft Azure AD Passwordless Sign In Guide
- Microsoft and Yubico Part 1 - Enterprise Strong Authentication with YubiKey
- Microsoft and Yubico Part 2 - Enterprise Strong Authentication for Cloud Native Organizations
- Microsoft and Yubico Part 3 - Enterprise Strong Authentication for On-premises and Cloud Organizations
- Microsoft and Yubico Part 4 - Enterprise Strong Authentication Recommended Action Items
- Enable passwordless security key sign-in to Windows 10 devices with Azure Active Directory
- Microsoft - different kinds of accounts (365, Azure, etc.), and how to use YubiKeys with them
- User Guides:
Troubleshooting
Implementation
For information on how to best utilize FIDO2 security keys once it is enabled, the additional resources below are available. Firstly, some best practice guides to help ensure both optimal deployment and maximum solution effectiveness. Next, some optional transition guidance to help migrate from one solution to one or more alternative deployments. And finally, some commonly asked questions and answers that may have not already been covered within the supplemental guides or troubleshooting sections.
Remember to enquire about our Professional Services team if hands-on or specific deployment assistance is required, and Yubico will gladly send one or more of our best people to help with your specific implementation!
Best Practices
YubiKey Lifecycle Management Best Practices with Microsoft Azure AD Passwordless