When I go to add PassKeys to my MIcrosoft 365 portal it fails at the last step. https://mysignins.microsoft.com/security-info Same error in Chrome and Brave. I was able to cancel the 1Password enrollment process and enroll a YubiKey just fine. 1Password Version: 1Password for Mac 8.10.7 (81007041) Extension Version: 2.12.0 OS Version: 13.4 Browser:_ Brave

Confirming I have the exact same problem following the steps sukka mentioned.

I came across the same AAGUID. Although we have now the option to select "passkey (preview)", it still errors when trying to add a passkey, no matter what kind.

(Note, I happened to be on page 1 on an old open tab when I started this, and didn't see the replies just above from alcyone7 and duscu and others with similar information, but I gathered a few more details (and words, haha) even though they appear to be just as accurate, so the below is an "also" and not entirely new to the thread--wish I'd seen the above replies before my conversation with JefTek, it would have helped clarify a bit!) I wanted to update this to let folks know that Microsoft has enabled Passkeys as a preview for Microsoft 365/Entra ID accounts, BUT only "device-bound" Passkeys and ONLY initially using the Microsoft Authenticator app on iOS and Android. You also need to make the Authenticator app, on iOS at least, your "primary" additional Passkey app (other than iCloud Keychain, which can also be simultaneously enabled), but you can only have ONE non-Apple Passkey app. And 1Password is mine. Which means I can't use Microsoft 365 Entra ID Passkeys yet, because I'd have to make MS Authenticator the Passkey provider on iOS and not 1Password. However, Microsoft said that before the end of 2024 they will also roll out "syncable" Passkey support (the kind that 1Password uses, along with many other password managers and some of the platform tools/browsers. However, they will need to be explicitly enabled (as device-bound ones do now) by an administrator. And, you'll have to/need to determine which "AAGUID" values you'll accept--every Passkey provider generates a unique AAGUID for authenticators with the same features. So Yubico's Yubikeys (which also can save device-bound Passkeys and have worked with Microsoft Entra ID for years as FIDO2 keys) have AAGUIDs per "family" depending on the features of each key. You can authorize as many or as few AAGUIDs as you want for a particular Microsoft tenant (or even a Custom Authentication Strength you can define and assign to particular groups/users or even certain applications), so administrators have control over which Passkeys they will accept instead of usernames and passwords. I think this control for business accounts is a good thing, but I'm disappointed I can't enable the 1Password AAGUID yet! (Well, I can and did, but it doesn't work since Microsoft only enables those for Authenticator--you actually have to add iOS and Android Authenticator App AAGUIDs to your allow list explicitly even to test the public beta!). If you're curious, you can see a list of known password manager AAGUIDs here, including 1Password's: https://passkeydeveloper.github.io/passkey-authenticator-aaguids/explorer/ That is generated from this GitHub repository collecting them for easy use, and they are available in several programmer-friendly formats also: https://github.com/passkeydeveloper/passkey-authenticator-aaguids And you can see how Yubikeys have various AAGUIDs based on which model/features each hardware keys has from Yubico's own list, here: https://support.yubico.com/hc/en-us/articles/360016648959-YubiKey-Hardware-FIDO2-AAGUIDs The Microsoft information above was pulled from a reasonably long discussion I had in the last few weeks with Jef Kazimer (JefTek) of https://jeftek.com/ (he's a Principal Project Manager for Microsoft Entra ID at Microsoft) in an Entra-related Discord server, and is a summery of a longer discussion. I really hope (and asked for) syncable Passkey support ASAP! Oh, and Microsoft's official documentation to enable Passkey support is located at https://learn.microsoft.com/en-us/entra/identity/authentication/how-to-enable-passkey-fido2 and the purple callout near the top does (if you know what they are!) explicitly list that device-bound Microsoft Authenticator Passkeys (in addition to physical security keys) are the only ones supported now but that synced passkey is being worked on: For reference I have a screenshot of the iOS Passkey app configuration screen showing where you can enable or disable iCloud Keychain (I have it disabled in the screenshot) and ONE other Passkey app--I have 1Password selected, but if I choose Authenticator, 1Password switches to disabled and vice-versa: I don't know if there's a way for 1Password to detect if a credential that's saved for login.microsoftonline.com right now is for a Microsoft Personal/Family account (used to be a Live ID many years ago), or if the credential is for a Microsoft 365 Work/Entra ID business tenant account. If they can tell automatically, it would be nice for their "Passkey is available!" alert at the top of a saved item for Microsoft to be smarter about not presenting that alert for Entra ID accounts until synced passkeys are supported in Entra ID, and when they are, to link to the setup page (like the above document) because each tenant will need explicit configuration before 1Password Passkeys (or any!) will work--maybe they should write a blog post at that time and walk people through the steps for 1Password at least. Oh, and one more thing, and you can do this now! I went to https://www.apple.com/feedback/iphone/ and submitted the following feature request to Apple about allowing multiple secondary (non-iCloud Keychain) Passkey apps in a future iOS update, and you can easily submit the same request so they get more feedback! Mine looked like this as an example:

It looks like people have said that iOS 18 Beta includes the ability to have at least 3 Passkey-enabled apps including their own, which would allow 1Password and the Microsoft Authenticator app to co-exist as Passkey providers on the same iPhone. Yay! At least, when iOS 18 goes GA this Fall...

It does look like Passkeys are currently just limited to Microsoft Authenticator. Having said the above, I have put in a query to Microsoft Support to see if there is any movement on this on the horizon, as a synched Passkey would be very helpful for a lot of us.

Passkeys do not work with Microsoft 365

70 Replies

Backspaze
Dedicated Contributor
2 years ago
In today's weekly digest for coming updates in Microsoft 365 there are two mentions of passkeys with some information on expected release windows and a bunch of other information.

For those that have access to the Microsoft 365 admin center, you can search for the two headers and MC numbers below and/or take a look at https://www.microsoft.com/sv-SE/microsoft-365/roadmap?filters=&searchterms=182056 in their public roadmap. I've included the information in spoiler tags (for brevity) for those that don't have access to the admin center.

Microsoft Entra ID: Authentication strength improvements to support passkeys - MC718260

!
! Summary
!
! Conditional Access authentication strengths in Microsoft Entra ID will be improved to support registration of device-bound passkeys (https://passkeys.dev/docs/reference/terms/#device-bound-passkey) stored on computers, security keys, and mobile devices.
!
! This message is associated with Microsoft 365 Roadmap ID https://www.microsoft.com/microsoft-365/roadmap?filters=&searchterms=182056.
!
! When this will happen:
!
! Public Preview: We will begin rolling out early March 2024 and expect to complete by mid-March 2024.
!
! Worldwide, GCC, GCC High, DoD: We will begin rolling out late April 2024 and expect to complete by early May 2024.
!
! How this will affect your organization:
!
! End user registration
!
! Prior to this change, users who were in-scope for authentication strength enforcement who could not satisfy passkey (FIDO2) authentication requirements received an error message asking users to manually register the passkey (FIDO2) method.
!
! With this rollout, in My Security Info, new registration options called Passkey (preview) and Passkey in Microsoft Authenticator (preview) will be shown to users who are interrupted to register a passkey (FIDO2) method to satisfy authentication strength requirements. Users that are required to register a passkey in Microsoft Authenticator will see a dedicated registration experience. Users whose organization requires specific passkeys from various vendors and manufacturers will be shown allowable AAGUIDS of the passkeys they can choose to register. No changes are expected to existing Conditional Access policies targeting security information registration.
!
! Current:
!
!
!
! New:
!
!
!
! What you need to do to prepare:
!
! For more information on changes to Microsoft Entra support for passkeys (FIDO2), please review our previous message center post MC690185: (Updated) Prepare for device-bound passkeys in Microsoft Entra ID (changes to FIDO2 and Windows Hello for Business), (November 2023).
!
! No action is needed to prepare for this change. You may want to notify your users about this change and update any relevant documentation as appropriate.

(Updated) Prepare for device-bound passkeys in Microsoft Entra ID (changes to FIDO2 and Windows Hello for Business) - MC690185

! Summary
!
! Updated February 19, 2024: We have updated the rollout timeline below. Thank you for your patience.
!
! Beginning mid-March 2024, Microsoft Entra ID will support https://passkeys.dev/docs/reference/terms/#device-bound-passkey stored on computers and mobile devices as an authentication method in preview, in addition to the existing support for FIDO2 security keys. This enables your users to perform phishing-resistant authentication using the devices that they already have.
!
! We will be expanding the existing FIDO2 authentication methods policy and end user experiences to support this preview release. If your organization uses FIDO2 authentication or Windows Hello for Business, please continue reading to learn more and prepare for the upcoming changes.
!
! Admin Configuration
!
! In the Entra admin portal, we will be renaming “FIDO2 security keys” to “Passkeys (FIDO2)” within the authentication methods policy and Conditional Access authentication strengths policy.
!
! For your organization to opt-in to this preview, you will need to enforce key restrictions to allow specified passkey providers in your FIDO2 policy. Here are the possible configuration states for FIDO2 key restrictions during the preview:
!
! * No key restrictions (FIDO2 policy default): Tenant allows all security key models. Device-bound passkey providers on computers and mobile devices are not allowed.
! * Key restrictions set to "Allow": Tenant only allows the explicitly added AAGUIDs. To enable a device-bound passkey provider, add their AAGUID(s) to the key restrictions list.
! * Key restrictions set to "Block": Tenant blocks the explicitly added AAGUIDs and allows all other security key models. Device-bound passkey providers on computers and mobile devices are not allowed.
!
!
!
! End User Registration Experience
!
! In the My Security Info portal, a new registration option called "Passkey (preview)" will be shown to end users for registering a device-bound passkey on computers, mobile devices, or security keys.
!
!
!
! Towards the end of 2024, the existing security key registration option will be replaced by the newly introduced passkey option.
!
! **End User Sign-in Experience*
!
! The existing end user sign-in option for Windows Hello for Business and FIDO2 security keys will be renamed to “Face, fingerprint, PIN, or security key”. The term "passkey" will be mentioned in the updated sign-in experience to be inclusive of passkey credentials presented from security keys, computers, and mobile devices.
!
! * Text displayed to users today:
! * “Sign in with Windows Hello or security key”
! * "Sign in with a security key”
! * "Signing in with Windows Hello or security key"
! * Text displayed to users in January 2024:
! * “Face, fingerprint, PIN, or security key”
! * "Signing in with a passkey"
!
!
!
gussic
Super Contributor
2 years ago
Confirming I am still unable to add a Passkey for my (work) Microsoft 365 account... The correct policies are enabled in Entra so I am not sure what the problem is...
wraith
Occasional Contributor
2 years ago
leonardder https://support.yubico.com/hc/en-us/articles/360016648959-YubiKey-Hardware-FIDO2-AAGUIDs

Of course I haven't actually been successful in making this work (despite following the poorly worded guidance in the MS Article).
leonardder
Occasional Contributor
2 years ago
This opens the question whether 1Password passkeys are considered device bound. Furthermore, how to determine the Authenticator Attestation GUID (AAGUID) needed to approve 1Password passkeys?
Former Member
2 years ago
"Beginning January 2024, Microsoft Entra ID will support device-bound passkeys stored on computers and mobile devices as an authentication method in public preview, in addition to the existing support for FIDO2 security keys. This enables your users to perform phishing-resistant authentication using the devices that they already have."

https://janbakker.tech/prepare-for-passkeys-in-entra-id/

https://learn.microsoft.com/en-us/entra/fundamentals/whats-new#public-preview---device-bound-passkeys-as-an-authentication-method
Former Member
2 years ago
"Beginning January 2024, Microsoft Entra ID will support device-bound passkeys stored on computers and mobile devices as an authentication method in public preview, in addition to the existing support for FIDO2 security keys. This enables your users to perform phishing-resistant authentication using the devices that they already have."

https://janbakker.tech/prepare-for-passkeys-in-entra-id/

https://learn.microsoft.com/en-us/entra/fundamentals/whats-new#public-preview---device-bound-passkeys-as-an-authentication-method
Former Member
2 years ago
"Beginning January 2024, Microsoft Entra ID will support device-bound passkeys stored on computers and mobile devices as an authentication method in public preview, in addition to the existing support for FIDO2 security keys. This enables your users to perform phishing-resistant authentication using the devices that they already have."

https://janbakker.tech/prepare-for-passkeys-in-entra-id/

https://learn.microsoft.com/en-us/entra/fundamentals/whats-new#public-preview---device-bound-passkeys-as-an-authentication-method
Former Member
2 years ago
"Beginning January 2024, Microsoft Entra ID will support device-bound passkeys stored on computers and mobile devices as an authentication method in public preview, in addition to the existing support for FIDO2 security keys. This enables your users to perform phishing-resistant authentication using the devices that they already have."

https://janbakker.tech/prepare-for-passkeys-in-entra-id/

https://learn.microsoft.com/en-us/entra/fundamentals/whats-new#public-preview---device-bound-passkeys-as-an-authentication-method
Former Member
2 years ago
Just hopping in to add my experience with this as well. Like others, I am unable to use iOS or MacOS (Safari) to add a passkey for my personal Microsoft account. Considering 1Password knows that I only use Apple devices, it would be nice to have the alert in 1Password to add a passkey removed until such a time as 1Password has verified support for my devices with the account in question! steph_giles
Former Member
2 years ago
Confirming same issue as above.
Edge: Version 119.0.2151.44 (x64)
1Password for Windows 8.10.20 (81020020)
Windows 10 22H2, 11 22H2 and 11 22H3, all recent updates applied.

Forum Discussion

Passkeys do not work with Microsoft 365

70 Replies

Recent Discussions

Don't Remember Last Search

1P doesn't autofill android app even when the app info is linked in the account info.

Clear Search Field without Mouse?

Feature Request - Search

Custom Templates