In a previous post, I created a passkey on a new account using TAP (without knowing or using the password for that account). In keeping with that theme, I will create a new TAP to generate another passkey for Microsoft Authenticator.
First, we create a reusable temporary access pass, here's the MG PowerShell again:
$properties = @{}
$properties.isUsableOnce = $false
$properties.startDateTime = (Get-Date).ToString()
$propertiesJSON = $properties | ConvertTo-Json
New-MgUserAuthenticationTemporaryAccessPassMethod -UserId someuser@somedomain.onmicrosoft.com -BodyParameter $propertiesJSON
Id IsUsable IsUsableOnce LifetimeInMinutes MethodUsabilityReason StartDateTime TemporaryAccessPass
-- -------- ------------ ----------------- --------------------- ------------- -------------------
77dc0e80... True False 60 EnabledByPolicy 6/5/2025 12:15:56 PM @+8D5X6&
This is what it presently looks like, and I started the process for adding a Microsoft Authenticator passkey. It will prompt for an MFA sign-in again if the last one was more than 10 minutes.
Creating a passkey on Microsoft Authenticator was a bit tedious, had to type in the UPN using that small keyboard, but using a TAP was easier than the 2-step process of creating an MFA first, then username/password + MFA once more. The Microsoft Authenticator app at the last step did prompt for registering the device (for passwordless sign-in) which I skipped.
This is what https://mysignins.microsoft.com/security-info now looks like.
I logged out and re-login using the new Microsoft Authenticator passkey. Next, we look at the Authenticator Attestation GUID (aaGuid) for each of the fido2 authentication methods. Running this MG PowerShell script, we get this:
$rm = Get-MgUserAuthenticationMethod -UserId someuser@somedomain.onmicrosoft.com
$rm | ForEach-Object {
$auth = $_.AdditionalProperties
if ($auth["@odata.type"] -match "fido2")
{
Write-Host $auth["displayName"] -> $auth["model"]
$auth["aaGuid"] | ForEach-Object {Write-Host " " $_}
}
}
Authenticator: Default Profile -> Microsoft Authenticator - Android
de1e552d-db1d-4423-a619-566b625cdc84
yubikey -> Security Key NFC by Yubico
e77e3c64-05e3-428b-8824-0cbeb04b829d
The Android aaGuid matches the one shown in Entra ID.
As a test, let's restrict this policy to just iOS/Android and leave out Yubikey. On the FIDO2 policy, set Enforce key restriction to Yes, Restrict specific keys to Allow, click the Microsoft Authenticator check box that adds the 2 aaGuid for iOS and Android.
>
On the https://mysignins.microsoft.com/security-info you can clearly see that the entry for yubikey was set to disabled automatically. And attempting to login using yubikey resulted in this error.
On the FIDO2 policy, let's add the yubikey aaGuid e77e3c64-05e3-428b-8824-0cbeb04b829d. Goinf back to https://mysignins.microsoft.com/security-info, I can see the disabled text is now gone for the yubikey entry, and testing the login process confirms that.
Aside from the aaGuid, the attestation signature(s) can also be extracted. The FIDO2 policy does have the Enforce attestation option, simply put - enabling this option makes Entra ID do an extra step of ensuring that the certificate and signature provided by the device is correct during registration. Most articles I have read state to not enable this option unless its absolutely required (like FedRAMP perhaps).
$rm = Get-MgUserAuthenticationMethod -UserId someuser@somedomain.onmicrosoft.com
$rm | ForEach-Object {
$auth = $_.AdditionalProperties
if ($auth["@odata.type"] -match "fido2")
{
Write-Host $auth["displayName"] -> $auth["model"]
$auth["attestationCertificates"] | ForEach-Object {Write-Host " " $_}
}
}
Authenticator: Default Profile -> Microsoft Authenticator - Android
52f7bc999ac1fda8a66583b977efd533231c74c1
cb9ddb7a548985af125ac24d9649861e5be57fff
706aa2ee5426bcc572a9df36634752c1fb2aff1a
yubikey -> Security Key NFC by Yubico
3f8f4f839dae2d157a7f4a365f6fcddf1a650ad1
No comments:
Post a Comment