Office 365 - Protecting user accounts with FIDO2 keys (TAP method)


 en français


FIDO2 based Passwordless technology allows users to use a USB key sign in to Azure AD (Microsoft Entra ID) without using passwords. Once enabled, the users will be able to sign in to their accounts and log onto their Windows 10 machines ( Azure AD (Microsoft Entra ID) or Hybrid AD joined) using FIDO2 Security keys. The access is still protected by two factors in this case: 1) having physical access to the security key and 2) PIN or Fingerprint (on devices with biometrics support) configured on the FIDO2 Security keys

Office 365 - Protecting user accounts with FIDO2 keys (TAP method)
FIDO2 keys as a security method is available with Microsoft Azure AD (Microsoft Entra ID) for already a couple of years now. Being the most secure access method available for Office 365 user access, enrolling FIDO2 security keys had a requirement of MFA to be configured for the users, which made it useless for use cases where users do not have (or do not want) to use multiple devices to log in. This has finally changed!


During the MS Ignite 2021 conference (which was held virtually this year as well), in addition to GA of Passwordless, Microsoft also announced a new feature, Temporary Access Pass in Azure AD (Microsoft Entra ID) (Preview), which will allow your end users to use only a FIDO2 Security key to access their account (this eliminates the requirement of having the MFA configured prior to that, which was the case before).

This guide will describe how the administrator can set Temporary Access Pass for a user, and how that user can subsequently enroll his/her FIDO2 security key:

Enable the Temporary Access Pass (TAP)

As this is a preview feature, it has to be enabled first. Global administrator and Authentication Method Policy administrator role holders can update the TAP authentication method policy. To configure the TAP authentication method policy:

  • Sign in to the Azure portal as a Global admin and click Azure Active Directory > Security > Authentication methods > Temporary Access Pass.
  • Click Yes to enable the policy, select which users have the policy applied, and any General settings
    Office 365 - Protecting user accounts with FIDO2 keys (TAP method)
    Note: make sure FIDO2 Security Key method is also enabled (it is on the same page).

  • You can keep the default TAP values for the time being. A full description of possible options is available here

Create Temporary Access Pass for a user

Now, lets create a temporary access pass for a user. The user should be allowed to use TAP (configured in the previous step). To add a TAP for a user, follow the steps below:

Sign in to the portal as either a Global administrator, Privileged Authentication administrator, or Authentication administrator.


  • Click Azure Active Directory, browse to Users, select a user, then choose Authentication methods.
  • If needed, select the option to Try the new user authentication methods experience.
    Office 365 - Protecting user accounts with FIDO2 keys (TAP method)
  • Select the option to Add authentication methods.
  • Below Choose method, click Temporary Access Pass (Preview).

    Office 365 - Protecting user accounts with FIDO2 keys (TAP method)

  • Define a custom activation time or duration and click Add

    Office 365 - Protecting user accounts with FIDO2 keys (TAP method)

  • Once added, the details of the TAP are shown. Make a note of the actual TAP value. You provide this value to the user. You can't view this value after you click Ok.
    Office 365 - Protecting user accounts with FIDO2 keys (TAP method)


Adding a FIDO2 Key using TAP Login

The steps below will allow a user to add a FIDO2 security key as the only authentication method for his/her account.
Please note that only TAP method allows this, if the user logs in using a regular password this security method will not be enabled (it will show an error similar to "To set up a security key, you need to sign in with two-factor authentication" )

  • User needs to log out of all existing session or launch a web browser in Private (Incognito) mode
  • Navigate to https://aka.ms/mysecurityinfo
  • Enter the UPN of the account (the TAP was created for), such as [email protected]
  • If the TAP is valid, instead of the regular password and MFA prompt, the login form will ask for a temporary access pass
    Office 365 - Protecting user accounts with FIDO2 keys (TAP method)

  • After logging in with the TAP, the browser will redirect to the Security Methods page, where a FIDO2 key can be added


Add a FIDO2 Security key by clicking Add method and choosing Security key


Office 365 - Protecting user accounts with FIDO2 keys (TAP method)

  • Choose USB device 

    Office 365 - Protecting user accounts with FIDO2 keys (TAP method)

  • Have your key ready and choose Next
  • A box will appear and ask you to create/enter a PIN for your security key, then touch the shield or lock icon on the key (the LED indicator is usually blinking at this moment). If the PIN code for your FIDO2 key has already been set, it will ask to enter it. Please note that for biometric-enabled keys, PIN can be replaced by a fingerprint authentication.
  • You will be returned to the combined registration experience and asked to provide a meaningful name for your token so you can identify which one if you have multiple. Click Next.
  • Click Done to complete the process

  • As you can see from this guide, after logging in using TAP, enrolling a FIDO2 Security key does not require having another MFA configured prior to that. This means that it is possible to set up access for a user that does not require knowing the password. Moreover, with  TAP created, the whole process can be done by the admin on behalf of the user (the only additional complexity here is when biometric protection is used - in this case, user presence is required).

    Where to buy FIDO2 Security keys to use with this method? 

    Office 365 - Protecting user accounts with FIDO2 keys (TAP method)All of our FIDO2 keys are compatible with Azure AD (Microsoft Entra ID). You can place an order online or contact us for a quote. We ship worldwide* both with regular post and express services such as FedEx, UPS and DHL.

    * - with the exception of Iran, India, Russia and a couple of other locations due to very complex customs clearance procedures 


    Video

    Check out this video review demonstrating the process of the configuration of this method as well as user registration and login experience

    FAQ

    Question: Is a FIDO2 security key tied to just one Azure AD (Microsoft Entra ID)/Office 365 account?
    Answer: No, a FIDO2 security key isn't tied to a single Azure AD (Microsoft Entra ID)/Office 365 account. You don't need to purchase a separate key for every Azure tenant you access. Fortunately, you can use one key for multiple accounts! When logging in via Web interface, if multiple accounts (passkeys) for login.microsoft.com were created on the key, you will be asked to select the one to log in with. Please note that this applies to Web login method only, and not workstation login.
    Office 365 - Protecting user accounts with FIDO2 keys (TAP method)
    Question: Can I log in to Windows 10/11 Workstations using a key containing multiple Azure AD (Microsoft Entra ID) enrolled accounts?
    Answer: Unfortunately, no. Signing in or unlocking a Windows 10/11 device with a security key containing multiple Microsoft Entra accounts is not supported. This scenario utilizes the last account added to the security key.


     

    Question: As FIDO2 setup is self-service, how can I ensure my users do not select weak PIN codes, such as 1111 or 1234?
    Answer: While the FIDO Alliance itself permits such PIN codes, the only restriction being the number of characters, this cannot be controlled by policies as the PIN is local to the security key. However, there is a solution available - Token2 PIN+Security Keys enforce PIN complexity at the firmware level, offering enhanced security measures.