Passkeys do not work with Microsoft 365
Comments
-
@OAW ,
Can you confirm whether you are opening this page in Safari? If yes then this is as David mentioned and Microsoft accounts do not support passkey creation and sign-in using Safari.
In this case you'll need to use another browser such as Chrome (I've tested using Edge and this works as well).
Selecting "Add a new way to sign in or verify" should present you with the following options:
From here you can follow the instructions provided by David to save your Microsoft passkey in 1Password.
Let me know how that goes.
Edit: some grammar correction.
0 -
@TimG1P It would appear I completely missed the “non-Safari” part in David’s reply. I do see that option in Edge … which I only keep installed as a backup for the rare occasion I encounter a website that doesn’t work in Safari. But I will just ignore the message in Watchtower now since I’m not going to switch browsers just to use a passkey on Microsoft sites. It’s just not that serious! Thanks for the assist.
0 -
Hey @OAW,
Thank you for your reply, please let us know if there's anything else we can help with at all.
0 -
Confirm that is still not working (chrome and safari) on October 22 2023
0 -
It is Oct 21 2023 now and the 1Password Chrome Extension + Passkey still does not work for Microsoft 365.
The way to reproduce:
- The system admin should have enabled FIDO2 in the "Authentication methods | Policies" at "Microsoft Entra Admin Center": https://entra.microsoft.com/
- Go to "Microsoft 365 My Sign-Ins > Security Info" at https://mysignins.microsoft.com/security-info
- Click "Add sign-in method"
- Select "Security key" in the dropdown menu, then click "Add":
- Click "USB Device", then click "Next":
- Microsoft 365 will redirect to a new page to setup the security key, where the 1Password Chrome Extensions popup will show up as expected. Save the passkey in the 1Password popup.
- After the passkey is saved in 1Password, the Microsoft 365 will redirect back to the last step:
- After typing in the name, click "Next". Microsoft 365 then will fail to save the Passkey:
1 -
Confirming I have the exact same problem following the steps sukka mentioned.
2 -
I'd say that, just like @wavesound mentioned, Microsoft stills doesn't support passkeys for work or school accounts in Microsoft 365, and that's what's causing the issue shown in detail in @sukka's post.
I went through exactly the same flow and got the same error earlier this year when I tried to register a physical security key which turned out to be incompatible. Once I had a key that was compatible, I was able to add it without issue.
Also, some other services, like Google, makes a clear difference between physical keys and passkeys already in the settings menu where you choose which method configure. I expect Microsoft to distinguish between the two by adding a method called Passkey in addition to the already present Security key method. It's just confusing to choose the Security key method and then choose between a USB device and NFC device when it's neither.
0 -
Confirming same issue as above.
Edge: Version 119.0.2151.44 (x64)
1Password for Windows 8.10.20 (81020020)
Windows 10 22H2, 11 22H2 and 11 22H3, all recent updates applied.0 -
Just hopping in to add my experience with this as well. Like others, I am unable to use iOS or MacOS (Safari) to add a passkey for my personal Microsoft account. Considering 1Password knows that I only use Apple devices, it would be nice to have the alert in 1Password to add a passkey removed until such a time as 1Password has verified support for my devices with the account in question! @steph.giles
0 -
"Beginning January 2024, Microsoft Entra ID will support device-bound passkeys stored on computers and mobile devices as an authentication method in public preview, in addition to the existing support for FIDO2 security keys. This enables your users to perform phishing-resistant authentication using the devices that they already have."
0 -
"Beginning January 2024, Microsoft Entra ID will support device-bound passkeys stored on computers and mobile devices as an authentication method in public preview, in addition to the existing support for FIDO2 security keys. This enables your users to perform phishing-resistant authentication using the devices that they already have."
0 -
"Beginning January 2024, Microsoft Entra ID will support device-bound passkeys stored on computers and mobile devices as an authentication method in public preview, in addition to the existing support for FIDO2 security keys. This enables your users to perform phishing-resistant authentication using the devices that they already have."
0 -
"Beginning January 2024, Microsoft Entra ID will support device-bound passkeys stored on computers and mobile devices as an authentication method in public preview, in addition to the existing support for FIDO2 security keys. This enables your users to perform phishing-resistant authentication using the devices that they already have."
1 -
This opens the question whether 1Password passkeys are considered device bound. Furthermore, how to determine the Authenticator Attestation GUID (AAGUID) needed to approve 1Password passkeys?
0 -
@leonardder https://support.yubico.com/hc/en-us/articles/360016648959-YubiKey-Hardware-FIDO2-AAGUIDs
Of course I haven't actually been successful in making this work (despite following the poorly worded guidance in the MS Article).
0 -
Confirming I am still unable to add a Passkey for my (work) Microsoft 365 account... The correct policies are enabled in Entra so I am not sure what the problem is...
1 -
In today's weekly digest for coming updates in Microsoft 365 there are two mentions of passkeys with some information on expected release windows and a bunch of other information.
For those that have access to the Microsoft 365 admin center, you can search for the two headers and MC numbers below and/or take a look at 182056 in their public roadmap. I've included the information in spoiler tags (for brevity) for those that don't have access to the admin center.
Microsoft Entra ID: Authentication strength improvements to support passkeys - MC718260
Summary
Conditional Access authentication strengths in Microsoft Entra ID will be improved to support registration of device-bound passkeys (defined at passkeys.dev) stored on computers, security keys, and mobile devices.
This message is associated with Microsoft 365 Roadmap ID 182056.
When this will happen:
Public Preview: We will begin rolling out early March 2024 and expect to complete by mid-March 2024.
Worldwide, GCC, GCC High, DoD: We will begin rolling out late April 2024 and expect to complete by early May 2024.
How this will affect your organization:
End user registration
Prior to this change, users who were in-scope for authentication strength enforcement who could not satisfy passkey (FIDO2) authentication requirements received an error message asking users to manually register the passkey (FIDO2) method.
With this rollout, in My Security Info, new registration options called Passkey (preview) and Passkey in Microsoft Authenticator (preview) will be shown to users who are interrupted to register a passkey (FIDO2) method to satisfy authentication strength requirements. Users that are required to register a passkey in Microsoft Authenticator will see a dedicated registration experience. Users whose organization requires specific passkeys from various vendors and manufacturers will be shown allowable AAGUIDS of the passkeys they can choose to register. No changes are expected to existing Conditional Access policies targeting security information registration.
Current:
New:
What you need to do to prepare:
For more information on changes to Microsoft Entra support for passkeys (FIDO2), please review our previous message center post MC690185: (Updated) Prepare for device-bound passkeys in Microsoft Entra ID (changes to FIDO2 and Windows Hello for Business), (November 2023).
No action is needed to prepare for this change. You may want to notify your users about this change and update any relevant documentation as appropriate.
(Updated) Prepare for device-bound passkeys in Microsoft Entra ID (changes to FIDO2 and Windows Hello for Business) - MC690185
Summary
Updated February 19, 2024: We have updated the rollout timeline below. Thank you for your patience.
Beginning mid-March 2024, Microsoft Entra ID will support device-bound passkeys stored on computers and mobile devices as an authentication method in preview, in addition to the existing support for FIDO2 security keys. This enables your users to perform phishing-resistant authentication using the devices that they already have.
We will be expanding the existing FIDO2 authentication methods policy and end user experiences to support this preview release. If your organization uses FIDO2 authentication or Windows Hello for Business, please continue reading to learn more and prepare for the upcoming changes.
Admin Configuration
In the Entra admin portal, we will be renaming “FIDO2 security keys” to “Passkeys (FIDO2)” within the authentication methods policy and Conditional Access authentication strengths policy.
For your organization to opt-in to this preview, you will need to enforce key restrictions to allow specified passkey providers in your FIDO2 policy. Here are the possible configuration states for FIDO2 key restrictions during the preview:
- No key restrictions (FIDO2 policy default): Tenant allows all security key models. Device-bound passkey providers on computers and mobile devices are not allowed.
- Key restrictions set to "Allow": Tenant only allows the explicitly added AAGUIDs. To enable a device-bound passkey provider, add their AAGUID(s) to the key restrictions list.
- Key restrictions set to "Block": Tenant blocks the explicitly added AAGUIDs and allows all other security key models. Device-bound passkey providers on computers and mobile devices are not allowed.
End User Registration Experience
In the My Security Info portal, a new registration option called "Passkey (preview)" will be shown to end users for registering a device-bound passkey on computers, mobile devices, or security keys.
*Towards the end of 2024, the existing security key registration option will be replaced by the newly introduced passkey option.
End User Sign-in Experience
The existing end user sign-in option for Windows Hello for Business and FIDO2 security keys will be renamed to “Face, fingerprint, PIN, or security key”. The term "passkey" will be mentioned in the updated sign-in experience to be inclusive of passkey credentials presented from security keys, computers, and mobile devices.
Text displayed to users today:
- “Sign in with Windows Hello or security key”
- "Sign in with a security key”
- "Signing in with Windows Hello or security key"
Text displayed to users in January 2024:
- “Face, fingerprint, PIN, or security key”
- "Signing in with a passkey"
0 -
@Backspaze Thanks for the updated information.
Does anyone know what 1Password's AAGUID is?
EDIT:
I believe 1Password's AAGUID is:
bada5566-a7aa-401f-bd96-45619a55120d
Sourced from here
0 -
I came across the same AAGUID.
Although we have now the option to select "passkey (preview)", it still errors when trying to add a passkey, no matter what kind.
2 -
Microsoft have confirmed on Reddit that this still isn't supported yet:
Passkeys in Entra IDCurrently you'll see the following error:
An unknown error occurred during passkey registration. Try again or contact your administrator for support.
This contradicts MC690185, it's all rather confusing.
0 -
I think the confusion comes from the different kind of passkey types: "Device-bound" (currently supported) and "Synced or multi-device" (not yet supported and 1password would be in this category).
I gave up hopes for now when I read this blog post where it's well explained:
https://www.corbado.com/blog/entra-passkeys#synced-passkeys-at-microsoft
1 -
Passkeys for Microsoft 365 will depend on a couple of factors - the main being where the authentication comes from at Microsoft. If this is coming from Entra (Work/School users) then the rollout for passkeys has been pushed several times since it was announced back in Sept '23... but the partially good news is that they have announced recently that they expect to globally rollout passkey support by end of the April '24 and be completed by May '24. The caveat is that Microsoft will only allow DEVICE-BOUND passkeys, so 1Password will continue to be rejected (as per the OP screenshot) as the 1Password passkey system is considered transportable (the AAGUID will be blocked by MS).
If your authentication is for a personal account, then passkey support has been available for some time, both device-bound (Yubico 5/ WebAuthn keys) as well as PWM-based passkeys.
Unfortunately, this is NOT a 1Password issue to resolve - it is how MS have specificialy/purposefully designed it; and nothing in any of the developer (or Entra ID) notices to admins suggest they are likely to support non-device-bound passkeys in a non-personal MS account any time soon.
1
