Itβs Cybersecurity Awareness Month! Join our interactive training session, or learn about security and AI from 1Password experts.
Forum Discussion
Azure Entra ID passkey from macOS Safari and 1Password possible? What with Passwords?
Trying to set up Entra ID to allow me to use a passkey stored in 1Password using Safari. These might not be the right steps (maybe not even close to what needs doing), but it is what I'm trying out at the moment. And just to be clear, ideally I would not want to use Microsoft Authenticator at all.
TLDR; So far as I can tell, this is either not possible yet or I don't know how to do it β I'm an optimist.
As of May 31st 2025, with the following setup:
MacBook Air M4 32GB
macOS (and Safari) Sequoia 15.5 public release
1Password for Mac 8.10.78 (81078043, on PRODUCTION channel)
1Password for Safari 8.10.76.34
Passwords Settings has "Automatically Create Passkeys" setting enabled.
Passkeys are enabled: Sign in to portal.azure.com > Search Microsoft Entra ID > Select Authentication Methods under Feature Highlights in the main right pane area (no left menu option) > Policies on the left menu > Passkey (FIDO2) > Enable and Target > Enable (if it isn't) and Include All Users > click on the Configure tab > Enforce Restrictions to Yes so that we can Add AAGUID to add the AAGUID from 1Password (though this appears to be just so it can allow 1Password as a passkey manager with the Enforced key restrictions setting and identify the passkey manager as 1Password) > Save
After that, and while you are logged in, in a different tab, visit https://aka.ms/mysecurityinfo or click on your Avatar on the top right > View account which will open in a new tab > and click on Security info on the left panel.
Now you're in your profile where you should be able to setup a passkey. This is an ideal way to test that whatever settings were setup, or enabled, work. Please note that I'm avoiding adding choice words throughout this post to describe how I feel about β the terrible and inhumane; ugh, that slipped out β Microsoft's UX (and to a large extent their UI).
Click Add sign-in method > select Security key or passkey which might prompt for a new sign in using multi factor authentication > then on the Add a passkey for more secure sign-in*** click Next > and again Next on Setting up your passkey... > use your finger to Continue with Touch ID***** >
*** We'll return to this screen to try the Set up passkey using another device shortly.
***** We'll also return to this screen to try the Other Options (to no avail.)
A dialog is shown called Let's name your passkey and, I believe thanks to the AAGUID, it's prefilled with "iCloud Keychain", with no way I could see or find to use 1Password. Click Next > and now an error will display with Passkey not registered and the body saying "This might be due to a timeout, a canceled request or a private browsing window."
Long story short, nothing will work. I eventually discovered that I could add the AAGUID in the Authentication Strengths page: Microsoft Entra ID > Authentication methods > in the left menu, under Manage > Authentication Strengths.
Trying with the *** Set up passkey using another device got me a QR code which I could take a picture of with the iPhone, and which generated a Passkey π± but it cannot be used (changed browsers, deleted cache, and eventually got to use it but it returned an error from Azure). From 1Password on the iPhone, Avatar on the top left > Scan QR Code... option did look at that QR code but didn't know what to do with it. The ***** Other Options option got similar results.
I have screenshots of everything, but there is some sort of limit here in the forums that keeps me from posting them (I kept polishing them and I run out of credit). I'll try again tomorrow.
2 Replies
- 1P_Dave
Moderator
Hello joe1231β! π
Thank you for your investigation! Here's what Microsoft's website currently says:
Microsoft Entra ID currently supports device-bound passkeys stored on FIDO2 security keys and in Microsoft Authenticator. Microsoft is committed to securing customers and users with passkeys. We're investing in both synced and device-bound passkeys for work accounts.
It looks like they don't yet fully support synced passkeys (the type saved in 1Password). Hopefully more support is added in the future.
-Dave
Did more digging. The AAGUID would be for the attestation of the authenticator (like 1Password), and so adding it would help restricting to a set of authenticators, and maybe not adding any would leave it open to all. But I added those, so if this was an issue, it should work.
In the Passkey FIDO2 settings, KEY RESTRICTION POLICY, two options:
Enforce key restrictions (Yes/No) set to Yes
Restrict specific keys (Allow/Block) set to Block
Going to guess that the latter means that one cannot restrict the use of passkeys to a specific set. But setting it to Allow changes nothing on the interface, so wondering how would one go about restricting them. Anyway.
Also worth mentioning that the Passkey Access for Web Browsers in macOS has Chrome and Firefox checked. Just to clear that, as that's why I get Chrome to use the system to prompt for Touch ID to sign with the passkey I was able to create, though it ends up failing anyway.
And that reminded me I hadn't tried with Firefox. And lo and behold, with a different tenant for which I don't have Entra ID Premium (nor P1 or P2), I was prompted for the passkey, though it still requested to enter the verification code (MFA), and it worked! And this worked on Safari, Firefox and Chrome.
Back to square one. So none of what I mentioned in my parent post seems to be needed/required to get passkeys to work, but it beats me how I got them to work on this test tenant (done a while ago).
