Phishing-Resistant Authentication for cloud native environments with Microsoft Entra ID using FIDO2


Overview and Introduction

The following guide describes how to set up Microsoft Entra ID to use FIDO2 security keys for strong phishing-resistant authentication. A brief description of an environment using FIDO2 will be followed by details relating to the applicable use cases, and finally detailed instructions on how to ultimately implement phishing-resistant authentication. It is important to note that other forms of authentication are considered out of scope for the purposes of this guide, and the focus will instead be on FIDO2 only. Other authentication methods that support FIDO2 onboarding and/or recovery will be mentioned, but it should be made clear that those methods will not be the focus of this guide. A description of FIDO2 and related terminology can be found here.


image1.png

Figure 1. Phishing-Resistant Authentication for cloud native environments with Microsoft Entra ID using FIDO2

 

Figure 1. (above) depicts the relationships between the major components in a cloud native environment using Microsoft Entra ID as the only identity provider, and where FIDO2 security keys are used for authentication. While both user information and lifecycle may be managed by another source such as a Human Resources Management System (HRMS) system using System for Cross-domain Identity Management (SCIM), Microsoft Entra ID is the only source of identity in this cloud native environment.

It is important to note that different device types and management states offer support for different scenarios with FIDO2 security keys. For example, both non-joined and Microsoft Entra ID joined workstations support FIDO2 security sign-in, but not for the same use cases. Windows, macOS and Linux also have varying support for when FIDO2 security keys can be used. Please see the "Supported use cases" and "Where supported" sections (below) for more details.

 

Registration of FIDO2 security keys

In the depicted scenario, the user is responsible for registration of their own FIDO2 security keys (i.e. self-registration). Registration involves the user first signing into My Account and navigating to the security info portal with an alternate authentication method that satisfies Microsoft Entra ID's multi-factor authentication requirements. Enterprises may opt to make these MFA requirements stricter to include only those that are phishing-resistant, but sign-in with at least basic multi-factor authentication is a minimum requirement before a user is able to register a new FIDO2 security key. For example, most organizations will either use Certificate-based authentication (CBA), Temporary Access Pass (TAP) or Username + Password + One-time Password (OTP) to meet those MFA requirements.

 

Sign-in with FIDO2 security keys

Users may leverage FIDO2 security keys to sign-in to many different systems and on many different platforms. Authentication is centralized with Microsoft Entra ID and users' registered security keys will work across a wide range of workstation and application sign-in scenarios, including sign-in to their Windows AAD joined workstations for both online and offline scenarios. Once signed in to their Windows workstations, users may sign-in to applications including web applications, first party Microsoft productivity applications, or other Microsoft Entra ID protected custom and third party apps. Other platforms like macOS, Google Chromebooks and Linux also support sign-in to web applications.

 

Policy driven enforcement

Enterprises may enforce the use of FIDO2 security keys using Conditional Access (CA) with Authentication Strengths. This feature allows enterprises to require FIDO2 security keys on all devices and platforms that support it while also having flexibility to allow alternate authentication methods or simply block access for other scenarios that don't support FIDO2 authentication. These policies are an important tool that allow enterprises to support initial registration of FIDO2 credentials with alternate methods while preventing those non-FIDO2 methods from being used in any other scenario.

Section Supported use-cases of this document below, will provide additional context for how FIDO2 is used, as seen in Figure 1. (above).

 

Some of the acronyms and key terms used throughout the guide are defined in the glossary table below, to help provide clarity and context.

 

Term

Definition

AD

Active Directory

AD FS Microsoft Entra ID Federation Services
CA Conditional Access
FIDO2 Fast IDentity Online version 2
HRMS Human Resources Management System
NFC Near Field Communication
OTP One-Time Password
RP Relying Party
TAP

Temporary Access Pass

USB

Universal Serial Bus

 

Supported use cases

  • Sign-in to Microsoft Entra ID protected native applications
  • Sign-in to Microsoft Entra ID protected web applications
  • Sign-in to Microsoft Entra ID joined Windows 10 & 11 workstations
  • Sign-on to Microsoft Entra ID protected Azure Virtual Desktop sessions
  • Remote sign-in to Microsoft Entra ID joined Windows 10 & 11 desktop sessions
  • Remote sign-in to Microsoft Entra ID joined AVD Session Hosts

 

Where supported

This matrix represents where FIDO2 sign-in is supported for the target-state architecture depicted above.

  Chrome,
Edge, Safari
browsers
MS 365
native
apps
IWA Apps (File
Sharing,
Databases, etc) 
Device
sign in
Remote
Desktop and
Azure Virtual
Desktop
Windows Microsoft Entra ID joined Yes Yes Not Applicable Yes Yes
Windows Hybrid Microsoft Entra ID joined Not Applicable Not Applicable Not Applicable Not Applicable Not Applicable
Windows AD joined Not Applicable Not Applicable Not Applicable Not Applicable Not Applicable
Windows non domain joined Yes Yes Not Applicable No Yes
MacOS Yes No Not Applicable No Yes
*AVD Only 
Android No No Not Applicable No No
iPhone Yes No Not Applicable No No
iPad Yes No Not Applicable No No
ChromeOS Yes No Not Applicable No Yes
*AVD Only

 

Prerequisites and Requirements

Microsoft Entra ID FIDO2 Passwordless Requirements

  • Office 365 or Microsoft Entra ID free tier or greater.
  • Supported FIDO2 security keys
  • Windows 10 v1903+ for Windows sign-in support
  • Supported browser

 

Deployment Guidance

Below are the step-by-step instructions to assist the setup and deployment of Microsoft Entra ID FIDO2 Passwordless, in addition to helpful supplemental guides for additional reading. Finally, a troubleshooting section can also be found below, outlining common and known issues that may be encountered during implementation or setup. In the event these materials still do not provide enough information, please contact our helpful Yubico Support team for additional guidance, or Yubico Sales team for assistance with purchasing YubiKeys and other Yubico devices.

 

Step-by-step instructions

These are the high-level steps for enabling FIDO2 security keys. Please see the Supplemental Guides for more detailed information. Note that attestation information is only collected during initial registration, so if there is any possibility that attestation information will be required in the future for compliance reasons, it’s highly recommended that attestation is enforced before any wide rollout of security keys.

  1. Sign-in to the Microsoft Entra ID portal
  2. Enable FIDO2 security keys as an Authentication Method
    1. Enable self-service setup
    2. Enforce attestation (Recommended)
    3. Enforce key restrictions (Optional)

 

Supplemental Guides

 

Troubleshooting

 

Implementation

For information on how to best utilize FIDO2 security keys once it is enabled, the additional resources below are available. Firstly, some best practice guides to help ensure both optimal deployment and maximum solution effectiveness. Next, some optional transition guidance to help migrate from one solution to one or more alternative deployments. And finally, some commonly asked questions and answers that may have not already been covered within the supplemental guides or troubleshooting sections.
Remember to enquire about our Professional Services team if hands-on or specific deployment assistance is required, and Yubico will gladly send one or more of our best people to help with your specific implementation!


Best Practices

YubiKey Lifecycle Management Best Practices with Microsoft Entra ID Passwordless

 

Common Questions

Yubico FAQ