Introduction

Microsoft is enforcing MFA for administrative accounts accessing Azure (including Entra ID) as of 10/15/2024. I wrote about this change in a separate article. It is important to have a second factor for your Break Glass accounts – otherwise you will no longer be able to use them. In today’s article, I will walk you through the steps necessary to enable FIDO2 authentication in your tenant, enforce it for your break glass account with a conditional access policy, and register the key.

Enable FIDO2 authentication

First, you should verify that you have already migrated from per-user MFA to authentication methods policies by clicking Manage Migration in the authentication methods policies. The status should be “migration complete”:

If this is not the case, I recommend following the guideline and migrating to the new portal:
How to migrate to the Authentication methods policy – Microsoft Entra ID | Microsoft Learn

To enable FIDO2 authentication, click on Passkey (FIDO2):

Here you must enable support for this authentication method:

And then check the configuration and you can enable “enforce attestation”. This will verify that your FIDO2 key is genuine and comes from a legitimate vendor. If you are currently trying Passkey authentication, you will have to turn off this setting as Passkey currently do not support attestation:

Enforce FIDO2 Authentication

First, we need to create a new authentication strength for FIDO2:

Here we select FIDO2. In the advanced options we have to specify the AAGUID of the security key we are going to use:

The AAGUID can be obtained from the manufacturer of the security key, in my case Yubico:
YubiKey Hardware FIDO2 AAGUIDs – Yubico

Since there are two different IDs for different firmware versions and I don’t know which firmware is on my stick, I add both:

Now you can save the authentication strength, and then create a Conditional Access Policy that forces our Break Glass account to use the newly created FIDO2 authentication strength. We will restrict it to the break glass account only:

This requirement will apply to all cloud applications:

And in the Grant access control, choose to require the FIDO2 authentication strength you just created:

I also recommend setting a low sign-in frequency and disabling persistent browser sessions:

You can enable the policy right away because it is scoped to your break glass account only.

Register the FIDO2 key

I recommend waiting at least 15 minutes before proceeding, as it takes this time for the FIDO2 authentication method to become available.
To register a FIDO2 key, you must log in to the account with a second factor. To accomplish this for the Break Glass account, I recommend creating a temporary access pass (TAP) for this purpose. You can add a TAP under Authentication Methods in a user’s settings:

Copy the provided access pass because you will need it later:

To register the FIDO2 key, please log in with your break glass account. After entering your username, you will be asked for the temporary access pass created:

You will then need to register a new factor:

The wizard will guide you to create a passkey in the authenticator application, but we don’t want to do that, so we select “I want to set up a different method”:

Then select “Passkey”:

Here you can see a hint that we can only use a passkey with one of the defined AAGUIDs:

Next, click “Set up passkey using another device”:

A new window will pop up, asking you to scan the QR code with your phone, but at the bottom you will see a message telling you to insert the USB security key and touch it:

Since this is the first time I am using this security key, I am forced to set a PIN for it:

Now I have to touch the security key to complete the process:

Finally, I have to confirm that login.microsoft.com has access to the security key:

To distinguish between different passkeys, you must enter a name for the one you have just registered:

The passkey is now created and can be used to log in:

If we check the security information afterwards, we can see the registered security key:

From an admin perspective, you can also see the registered security key – click on the three dots on the right to get more details:

Here you can see the exact model and the AA Guid – you can use it here to adjust the authentication strength we configured a few steps earlier:

Logon with the FIDO2 key

The login process is very simple. You enter your username and then choose to log in with a security key:

You will then see a popup asking you to select “Security Key” again:

The wizard will then ask you to insert and touch the USB security key. Once inserted, it will start flashing:

Now you need to verify with your defined PIN:

And you have to touch the security key again to confirm the request:

Then you are logged in! If you check the logs, you will see that the logon was successful and that the MFA requirement was met by a multi-factor device:

Under authentication details we can see that we used our “Break Glass Yubikey”:

Conclusion

In this article, I covered how to enable FIDO2 support in your tenant. Then I showed you how to create a conditional access policy that forces your break-glass account to log in with a specific FIDO2 key. Finally, I showed the process of enrolling the FIDO2 key.

We are only a month away from Microsoft enforcing the MFA requirement, so now is the time to get some FIDO2 keys and set them up for your break glass accounts!
If you need any help or have any questions, feel free to reach out to me!

I hope you enjoyed this article!

Schreibe einen Kommentar

Deine E-Mail-Adresse wird nicht veröffentlicht. Erforderliche Felder sind mit * markiert

Consent Management Platform von Real Cookie Banner