Azure Entra ID passkey from macOS Safari and 1Password possible? What with Passwords?

Did more digging. The AAGUID would be for the attestation of the authenticator (like 1Password), and so adding it would help restricting to a set of authenticators, and maybe not adding any would leave it open to all. But I added those, so if this was an issue, it should work.

In the Passkey FIDO2 settings, KEY RESTRICTION POLICY, two options:

Enforce key restrictions (Yes/No) set to Yes
Restrict specific keys (Allow/Block) set to Block

Going to guess that the latter means that one cannot restrict the use of passkeys to a specific set. But setting it to Allow changes nothing on the interface, so wondering how would one go about restricting them. Anyway.

Also worth mentioning that the Passkey Access for Web Browsers in macOS has Chrome and Firefox checked. Just to clear that, as that's why I get Chrome to use the system to prompt for Touch ID to sign with the passkey I was able to create, though it ends up failing anyway.

And that reminded me I hadn't tried with Firefox. And lo and behold, with a different tenant for which I don't have Entra ID Premium (nor P1 or P2), I was prompted for the passkey, though it still requested to enter the verification code (MFA), and it worked! And this worked on Safari, Firefox and Chrome.

Back to square one. So none of what I mentioned in my parent post seems to be needed/required to get passkeys to work, but it beats me how I got them to work on this test tenant (done a while ago).