> ## Documentation Index
> Fetch the complete documentation index at: https://docs.truu.ai/llms.txt
> Use this file to discover all available pages before exploring further.

# Enable TruU FIDO2 Authenticator for Entra ID

> Step-by-step guide to enabling Passkey (FIDO2) authentication for your organization using Microsoft Entra ID.

### 1. Navigate to Authentication Methods

Sign in to the **Entra ID Admin Portal**, go to the **Entra ID** dropdown, select **Authentication Methods**, then click **Policies**.

<img src="https://mintcdn.com/truu-2/rjjBxA7Z_Wk_-34G/images/docs/f5e427642fe6911e7054ed286a7853cd190a1d34da27a332c26ac33e0bdc585f-21.png?fit=max&auto=format&n=rjjBxA7Z_Wk_-34G&q=85&s=1047b26654e9c7ed8a63e05d559c4b28" alt="" width="1924" height="814" data-path="images/docs/f5e427642fe6911e7054ed286a7853cd190a1d34da27a332c26ac33e0bdc585f-21.png" />

### 2. Enable Passkey (FIDO2)

Select the **Passkey (FIDO2)** policy. On the **Enable and target** tab, toggle **Enable** to **On**.

<Frame>
  <img src="https://mintcdn.com/truu-2/WgRY4OvuSM1xSgvF/images/image-135.png?fit=max&auto=format&n=WgRY4OvuSM1xSgvF&q=85&s=fa5b9fdf4c05424aea2d3cc241efca6c" alt="Image" width="2010" height="998" data-path="images/image-135.png" />
</Frame>

<Note>
  TruU recommends to enable the policy for all users and provides control in the TruU tenant to limit the enrollment of Passkeys to selected group of users.
</Note>

### 3. Enable Self-Service Setup

Click the **Configure** tab. Under **General**, ensure **Allow self-service set-up** is checked. If disabled, users cannot register a passkey through Security Info even when Passkey (FIDO2) is enabled.

<Frame>
  <img src="https://mintcdn.com/truu-2/WgRY4OvuSM1xSgvF/images/image-136.png?fit=max&auto=format&n=WgRY4OvuSM1xSgvF&q=85&s=51ea860635624841ea828ee8434ea037" alt="Image" width="1962" height="1090" data-path="images/image-136.png" />
</Frame>

### 4. Add a TruU FIDO2 Passkey Profile

On the **Configure** tab, under **Passkey profiles**, click **+ Add profile** and fill in the following:

| Setting                 | Value                    |
| ----------------------- | ------------------------ |
| Name                    | TruU FIDO2 Authenticator |
| Enforce attestation     | Leave **unchecked**      |
| Passkey types           | Device-bound             |
| Target specific AAGUIDs | Checked                  |
| Behavior                | Allow                    |

Under **Model/Provider AAGUIDs**, click **+ Add AAGUID**, select **Enter AAGUID**, and enter the value for your TruU version:

* Version 24.x / 25.x (deprecated): `ba86dc56-635f-4141-aef6-00227b1b9af6`
* Version 26.x and above: `bb878d7b-cf54-4784-b390-357030497043`

<Frame>
  <img src="https://mintcdn.com/truu-2/WgRY4OvuSM1xSgvF/images/image-137.png?fit=max&auto=format&n=WgRY4OvuSM1xSgvF&q=85&s=900a446cb04bc7ed427f926527f980a1" alt="Image" width="1210" height="1596" data-path="images/image-137.png" />
</Frame>

<Frame>
  <img src="https://mintcdn.com/truu-2/WgRY4OvuSM1xSgvF/images/image-138.png?fit=max&auto=format&n=WgRY4OvuSM1xSgvF&q=85&s=56934b1e71b15fa84e8c0dc68d02053b" alt="Image" width="2102" height="1184" data-path="images/image-138.png" />
</Frame>

Click **Save**.

<Warning>
  Do not check **Enforce attestation**. Attestation is intended to verify hardware manufacturing processes and prevent unauthorized hardware. TruU is a virtualized solution that operates on Microsoft-verified hardware and does not require specialized hardware.
</Warning>

### 5. Assign the Profile to a Target Group

Go back to the **Enable and target** tab. Click **+ Add target**, select **Select targets**, and choose your user security group or deploy to All users

In the **Passkey profiles** column for that group, select **TruU FIDO2 Authenticator** from the drop-down.

<Frame>
  <img src="https://mintcdn.com/truu-2/WgRY4OvuSM1xSgvF/images/image-139.png?fit=max&auto=format&n=WgRY4OvuSM1xSgvF&q=85&s=b5ef84bfc091a03fac1b36a00d1e3257" alt="Image" width="1756" height="1264" data-path="images/image-139.png" />
</Frame>

Click **Save**.
