Let’s Set Up Passkeys: The Easy, Secure Way!

Hey there! Today, we’re diving into the wonderful world of passkeys. Don’t worry, this isn’t rocket science my mission is to show you how ridiculously easy it is to get passkeys up and running in your tenant. Sure, standard MFA is a solid starting point, but let’s face it it’s not exactly the finish line of cybersecurity greatness.

So, what are passkeys, you ask? Think of them as passwordless VIP pass into your apps. Instead of juggling passwords, passkeys use cryptographic key pairs to get you logged in safely and securely. Your private key is on your device, while the public key hangs out with the service. Together, they create a phishing-resistant fortress of login magic.

Step 1: Turning on Passkeys

First things first, we’ve got to enable passkeys for users. In Entra, just head over to Protection > Authentication Methods and select Passkeys. Easy, right? If you’d like to roll it out gradually, start with a pilot group—like my creatively named Passkey Pilot Group.

Step 2: Configure Those Options

Next, let’s fine-tune the settings:

  • Allow self-service setup: Empower users to set up their own passkeys, reducing your support load.
  • Enforce attestation: Ensure only trusted devices are used by requiring proof of authenticity.
  • Enforce key restrictions: Control which FIDO2 keys are permitted or blocked.
  • Restrict specific keys: Decide which keys are granted access or denied.
  • Microsoft Authenticator: Automatically manages AAGUIDs for iOS and Android Authenticator apps.

For this setup, we’ll use Microsoft Authenticator, but feel free to choose FIDO keys if that suits you better. Pro tip: Here’s a handy link to identify AAGUIDs for other popular keys.

Step 3: User Setup

Now, the exciting part! Guide your users to aka.ms/mfasetup and have them click “Add sign-in method.” They should select “Passkey” and follow the prompts, which include opening the Microsoft Authenticator app to create the passkey. It’s that simple!

Select Passkey and follow the on-screen instructions.

Part of this next step will direct you to open the Microsoft Authenticator application on your device.

Create a Passkey in the Authenticator application.

The user will be prompted to Sign In.

Once the passkey is created, select Done.

Back on the users PC, they should receive a notification that their passkey is now created.

Pro Tip for Admins

Don’t forget about your admin team. Ensure they’re using passkeys too by implementing Conditional Access Policies that require phishing-resistant MFA for all admin activities.

And That’s It!

In just a few steps, you’ve enhanced security and made life easier for your users. Give it a try, and you’ll feel like a cybersecurity superhero in no time.

By following these steps, you’re well on your way to a password-free, secure environment. Happy passkey setting!

Author Dustin

You Might Also Like

The Jedi’s Guide to Automating Onboarding with Lifecycle Workflows

Now You See It, Now You Don’t – Secure Access with Entra ID Governance

Entra Password Protection Smarter Security, Fewer Pop-Tarts