Enable Passkey (FIDO2) for your organization
Requirements
Steps

Enable Passkey (FIDO2) for your organization

Requirements

Passkey (FIDO2) authentication requires compatible devices. For Windows devices joined to Microsoft Entra ID, the best experience is on Windows 10 version 1903 or newer. Hybrid-joined devices need to be running Windows 10 version 2004 or later.

Steps

Sign in to your Entra ID Admin Portal, go to the “Entra ID” dropdown menu, and select Authentication Methods, then click Policies.

In the “Passkey (FIDO2)” method, toggle the setting to Enable. Then, choose All users or select Add groups to specify particular groups. Only security groups are supported.

NOTE: TruU recommends targeting a test group during any POC

On the same page, click on the Configure tab, set “Allow self-service setup” to “Yes”. If set to No, users will not be able to register a passkey through Security Info, even if Passkeys (FIDO2) are enabled via the Authentication Methods policy.
Set “Enforce attestation” to “No”. Since TruU is still working on certification for Microsoft Passkey provider attestation, leave it set to No for now.

Set “Enforce key restrictions” to Yes.
Set Restrict specific restrictions to Allow
Click Add AAGUID and enter the following TruU AAGUID: ba86dc56-635f-4141-aef6-00227b1b9af6.

Save these settings to finalize the changes made.

FIDO2 Enable FIDO2 security key sign-in for Windows

FIDO2 Enable FIDO2 security key sign-in for Windows

⌘I