How to enable FIDO2 passwordless authentication with Microsoft Azure AD for use with Windows 10-11
IPI admin cases – How to enable FIDO2 password-less authentication with Microsoft Azure AD for use with Windows 10
Add the user to the AD
Step 1
Sign in to the Azure portal https://portal.azure.com/.
Step 2
Select "Azure Active Directory" go to the "Users" section:
Step 3
Click "New User" button, fill in the required fields:
Step 4
Click "Create" button, the user will be added to the list and ready to login:
Enabling Authentication methods and FIDO2 security keys
Step 1
With a Security Admin or Global Admin account, sign in to the Azure portal portal.azure.com and go to Azure Active Directory > User Settings > Manage user feature settings:
Step 2
Select the “Users can use the combined security information registration experience” option, select the “All” option, and click the “Save” button.
Step 3
After saving, a notification will appear in the upper right corner of the page, which indicates that the settings were successfully updated:
Step 4
Go to Azure AD Authentication Methods in the Azure portal:
Step 5
In the Azure portal, go to the "Azure AD Authentication Methods" section and select the "FIDO2 Security Key" method:
Step 6
Set the “ENABLE” switch to “Yes” and click the “Save” button:
Step 7
After saving, a notification will appear in the upper right corner of the page, which indicates that the policy settings were successfully updated:
Step 8
We also recommend enable authentication the same way using a native application Microsoft Authenticator passwordless sign-in.
Microsoft instructions can be found here.
Join a PC to the Microsoft Entra ID (Azure AD) domain and add a user
Step 1
Go to Accounts -> Access work or school section in Windows settings**.**
Click “Connect” button.
Step 2
Click “Join this device to Microsoft Entra ID" (Azure Active Directory)
Step 3
You will be prompted to enter your login and password, which you received from AD. And you need to enter a new password:
After this the system will show you final warning:
Step 4
Click "Join" button:
Your new account can be found in the Settings.
Now you can use it to login to this PC by password.
Select Other user, type in your login and password.
System may ask you to set up two factor authentication. Do it with your phone for example. Then set up a PIN to access this PC.
Step 5
Run file that register in the registry the ability to use the FIDO key:
Add a security key to the Microsoft Account
Step 1
Sign in to the portal https://myprofile.microsoft.com/.
Step 2
Go to Security info and add your phone number to enable two-factor authentication.
Step 3
Pair the IPI Key with Windows.
Step 4
Add security key on the portal. Click on the "Add Method" button and select the "Security Key" option.
You can choose USB or NFC device, it does not matter.
Step 5
To finish setup, process the system may ask you to login via added FIDO key:
Step 6
Press the button on the Key when asked:
Step 7
Enter a name for a new security key:
And now the setup is complete.
The key will appear in the list of available authentication methods:
Now you can use unlock PC by Security Key scenario.
Last updated