When I go to add PassKeys to my MIcrosoft 365 portal it fails at the last step. https://mysignins.microsoft.com/security-info Same error in Chrome and Brave. I was able to cancel the 1Password enrollment process and enroll a YubiKey just fine. 1Password Version: 1Password for Mac 8.10.7 (81007041) Extension Version: 2.12.0 OS Version: 13.4 Browser:_ Brave

Confirming I have the exact same problem following the steps sukka mentioned.

I came across the same AAGUID. Although we have now the option to select "passkey (preview)", it still errors when trying to add a passkey, no matter what kind.

(Note, I happened to be on page 1 on an old open tab when I started this, and didn't see the replies just above from alcyone7 and duscu and others with similar information, but I gathered a few more details (and words, haha) even though they appear to be just as accurate, so the below is an "also" and not entirely new to the thread--wish I'd seen the above replies before my conversation with JefTek, it would have helped clarify a bit!) I wanted to update this to let folks know that Microsoft has enabled Passkeys as a preview for Microsoft 365/Entra ID accounts, BUT only "device-bound" Passkeys and ONLY initially using the Microsoft Authenticator app on iOS and Android. You also need to make the Authenticator app, on iOS at least, your "primary" additional Passkey app (other than iCloud Keychain, which can also be simultaneously enabled), but you can only have ONE non-Apple Passkey app. And 1Password is mine. Which means I can't use Microsoft 365 Entra ID Passkeys yet, because I'd have to make MS Authenticator the Passkey provider on iOS and not 1Password. However, Microsoft said that before the end of 2024 they will also roll out "syncable" Passkey support (the kind that 1Password uses, along with many other password managers and some of the platform tools/browsers. However, they will need to be explicitly enabled (as device-bound ones do now) by an administrator. And, you'll have to/need to determine which "AAGUID" values you'll accept--every Passkey provider generates a unique AAGUID for authenticators with the same features. So Yubico's Yubikeys (which also can save device-bound Passkeys and have worked with Microsoft Entra ID for years as FIDO2 keys) have AAGUIDs per "family" depending on the features of each key. You can authorize as many or as few AAGUIDs as you want for a particular Microsoft tenant (or even a Custom Authentication Strength you can define and assign to particular groups/users or even certain applications), so administrators have control over which Passkeys they will accept instead of usernames and passwords. I think this control for business accounts is a good thing, but I'm disappointed I can't enable the 1Password AAGUID yet! (Well, I can and did, but it doesn't work since Microsoft only enables those for Authenticator--you actually have to add iOS and Android Authenticator App AAGUIDs to your allow list explicitly even to test the public beta!). If you're curious, you can see a list of known password manager AAGUIDs here, including 1Password's: https://passkeydeveloper.github.io/passkey-authenticator-aaguids/explorer/ That is generated from this GitHub repository collecting them for easy use, and they are available in several programmer-friendly formats also: https://github.com/passkeydeveloper/passkey-authenticator-aaguids And you can see how Yubikeys have various AAGUIDs based on which model/features each hardware keys has from Yubico's own list, here: https://support.yubico.com/hc/en-us/articles/360016648959-YubiKey-Hardware-FIDO2-AAGUIDs The Microsoft information above was pulled from a reasonably long discussion I had in the last few weeks with Jef Kazimer (JefTek) of https://jeftek.com/ (he's a Principal Project Manager for Microsoft Entra ID at Microsoft) in an Entra-related Discord server, and is a summery of a longer discussion. I really hope (and asked for) syncable Passkey support ASAP! Oh, and Microsoft's official documentation to enable Passkey support is located at https://learn.microsoft.com/en-us/entra/identity/authentication/how-to-enable-passkey-fido2 and the purple callout near the top does (if you know what they are!) explicitly list that device-bound Microsoft Authenticator Passkeys (in addition to physical security keys) are the only ones supported now but that synced passkey is being worked on: For reference I have a screenshot of the iOS Passkey app configuration screen showing where you can enable or disable iCloud Keychain (I have it disabled in the screenshot) and ONE other Passkey app--I have 1Password selected, but if I choose Authenticator, 1Password switches to disabled and vice-versa: I don't know if there's a way for 1Password to detect if a credential that's saved for login.microsoftonline.com right now is for a Microsoft Personal/Family account (used to be a Live ID many years ago), or if the credential is for a Microsoft 365 Work/Entra ID business tenant account. If they can tell automatically, it would be nice for their "Passkey is available!" alert at the top of a saved item for Microsoft to be smarter about not presenting that alert for Entra ID accounts until synced passkeys are supported in Entra ID, and when they are, to link to the setup page (like the above document) because each tenant will need explicit configuration before 1Password Passkeys (or any!) will work--maybe they should write a blog post at that time and walk people through the steps for 1Password at least. Oh, and one more thing, and you can do this now! I went to https://www.apple.com/feedback/iphone/ and submitted the following feature request to Apple about allowing multiple secondary (non-iCloud Keychain) Passkey apps in a future iOS update, and you can easily submit the same request so they get more feedback! Mine looked like this as an example:

It looks like people have said that iOS 18 Beta includes the ability to have at least 3 Passkey-enabled apps including their own, which would allow 1Password and the Microsoft Authenticator app to co-exist as Passkey providers on the same iPhone. Yay! At least, when iOS 18 goes GA this Fall...

It does look like Passkeys are currently just limited to Microsoft Authenticator. Having said the above, I have put in a query to Microsoft Support to see if there is any movement on this on the horizon, as a synched Passkey would be very helpful for a lot of us.

Passkeys do not work with Microsoft 365

DominicTech
New Contributor
8 days ago
Like other members, on March 13, 2025, I confirm that passkeys now works with 1Password in Microsoft 365 account. We need to select "Security key" when adding a new authentication method, then choose "USB Device".
As others said, the configuration of FIDO authentication in admin 365 must have Attestation disabled.
Page : https://entra.microsoft.com/#view/Microsoft_AAD_IAM/AuthenticationMethodsMenuBlade/~/AdminAuthMethods/
mpinoc
New Contributor
9 days ago
Update: I just tried today and it FINALLY worked for "synced" Passkeys and creating it within 1Password!! I no longer have to use that stupid "Microsoft Authenticator" app anymore!! So it appears within the last 3 weeks or so (since the last time I tried), Microsoft finally enabled the ability!!
I have two Microsoft Exchange accounts (two different companies). One company it gave me the option of "Security Key or Passkey" (did NOT say "(Preview)" on it, so it appears it was out of "preview". But after I created it, I went back to get a screenshot and that option then disappeared, leaving only "Security Key" or "Passkey in Microsoft Authenticator"). The other company it didn't have that "Security Key or Passkey" option, so I had to use "Security Key" and then selected either "USB device" or "NFC device" (both worked with 1Password).
For the "Security Key or Passkey", I was able to set it up on an iPhone using 1Password as the passkey provider.
But for the "Security Key" option, I had to do it via a PC (I was using Firefox, if it mattered with the 1Password Extension set as Firefox's default password manager). If I attempted in iPhone using the "Security Key" option it asked me to connect the device to the phone, it wouldn't prompt to save it in 1Password, even with that being my iPhone's default Passkey provider (I am not using iCloud Keychain).
NOTE: it was giving an error at first, if "Enforce Attestation" was enabled. But when I turned that off (I am an admin for both companies), and also turned off "Enforce Key Restrictions", then it worked. This was even when I had the AAGUID for 1Password in the "allowed" list, but the warning still said that "my organization" didn't allow it.
- duscu
  New Contributor
  9 days ago
  Just confirming this worked. For me it even worked with key restiction on (but yes, attestation needs to be off). I used this AAGUID: bada5566-a7aa-401f-bd96-45619a55120d
  
  I just wonder if it will ever support the attestation. For physical keys it's up to the vendors to provide the data to Microsoft. Not sure this is even possible for Synced keys.
duscu
New Contributor
2 months ago
Nothing has really changed, it's still limited to device bound passkeys except if you want to use the Microsoft Auth app.
The only thing that changed recently, is that passkeys on Microsoft Auth app has also been enabled for tenants who do don't enforce key restrictions.
portland80
New Contributor
2 months ago
aared Same behavior with my tenant I tested it. Normally I have a key restriction enabled but I have same message with and without restriction. I let you know if it should work in my tenant.
aared
New Contributor
2 months ago
According to the post from Backspaze on Page 2, it should be ready by now (estimated mid-Jan 2025). I'm 99% there but then it fails:

Microsoft admin can enable passkeys through the portal on entra.microsoft.com
and can avoid enabling key restrictions (disabled by default)

which allows non-microsoft-authenticator passkey creation
and it gets to the last step
but then it fails
- DominicTech
  New Contributor
  21 days ago
  March 1st tomorrow. Still the same problem...
Global
New Contributor
3 months ago
The update I have from Microsoft support is the following:

"Microsoft is committed to securing customers and users with passkeys. We are investing in both synced and device-bound passkeys for work accounts."

The TDLR is that it is coming, but a date has not yet been set.
Global
New Contributor
3 months ago
It does look like Passkeys are currently just limited to Microsoft Authenticator.

Having said the above, I have put in a query to Microsoft Support to see if there is any movement on this on the horizon, as a synched Passkey would be very helpful for a lot of us.
wavesound
Dedicated Contributor
5 months ago
This appears to limit Passkeys to Microsoft Authenticator so we still won't be able to use these in 1Password, no?
Backspaze
Dedicated Contributor
5 months ago
Microsoft has released more information.

Microsoft Entra: Enablement of Passkeys in Authenticator for passkey (FIDO2) organizations with no key restrictions

Beginning mid-January 2025, after the General Availability of passkeys in the Microsoft Authenticator app, organizations with the passkey (FIDO2) authentication methods policy enabled with no key restrictions will be enabled for passkeys in the Microsoft Authenticator app in addition to FIDO2 security keys. This update aligns with the broader availability of passkeys in Entra ID, extending from device-bound passkeys on security keys to device-bound passkeys also on user devices. Users who navigate to aka.ms/MySecurityInfo will see "Passkey in Microsoft Authenticator" as an authentication method they can add. Additionally, when Conditional Access (CA) authentication strengths policy is used to enforce passkey authentication, users who don't yet have any passkey will be prompted inline to register passkeys in Authenticator to meet the CA requirements. If an organization prefers not to enable this change for their users, they can work around it by enabling key restrictions in the passkey (FIDO2) policy. This change will not impact organizations with existing key restrictions or organizations that have not enabled the passkey (FIDO2) policy.

When this will happen:

General Availability (Worldwide, GCC, GCC High, DoD): Rollout will happen mid-January 2025.

How this will affect your organization:

Who will be impacted: Organizations with the passkey (FIDO2) authentication methods policy enabled with no key restrictions set.

Who will not be impacted: Organizations that do not have the passkey (FIDO2) authentication methods policy enabled and organizations that have the passkey (FIDO2) authentication methods policy enabled and have key restrictions set.

What you need to do to prepare:

This rollout will happen automatically with no admin action required. You may want to notify your users about this change and update any relevant documentation as appropriate.
wavesound
Dedicated Contributor
5 months ago
Piebas Its up to Microsoft at this point...