Configuring Microsoft EntraID for passwordless authentication with FX7

OneSpan's innovative FIDO2 passwordless technology allows users to securely sign in to Azure AD (Microsoft Entra ID) using a USB key, completely removing the need for traditional passwords. Once set up, users can effortlessly access their accounts and log onto their Windows devices (whether joined to EntraAD or Hybrid AD) with OneSpan’s FX7 FIDO2 security keys. This method ensures robust two-factor authentication by requiring both the physical security key and a PIN or biometric verification (such as a fingerprint) configured on the FIDO2 security keys.

This OneSpan guide offers step-by-step instructions for enabling OneSpan’s FX7 FIDO2 passkeys in EntraID and setting them as the default security measure for Microsoft 365 logins. Follow these steps to adopt a modern, passwordless authentication method and enhance your organization's security.

The Entra ID Admin center is available at https://entra.microsoft.com.

To enable Passkey (FIDO2)

1. Select Protection > Authentication Methods.

2. Click Passkey (FIDO2) settings.

3. Enable All Users.

4. Switch to the Configure tab.

Use the following configuration

• Allow self-service setup: YES

• Enforce attestation: YES

• Enforce key restrictions: YES

• Restrict specific keys: Allow

• Clear the Microsoft Authenticator box.

• Click Add AAGUID of the FX7 device.

  The AAGUID for the OneSpan FX7 is 30b5035e-d297-4ff7-b00b-addc96ba6a98.

Configure the authentication strengths

1. Select Protection > Authentication Methods.

2. Select Manage > Authentication Strengths.

3. Click New Authentication Strength to add a new authentication method and use the following configuration:

   • Name: Passkeys (FX7) Only

   • Check: Passkeys (FIDO2)

4. Under Advanced Options:

   • Click Add AAGUID and type 30b5035e-d297-4ff7-b00b-addc96ba6a98.

   • Click Save.

5. Select Temporary Access Pass (Multi-Use).

   • Click Next.

   • Click Save.

1. Sign in to the Microsoft Entra admin center as at least a security administrator.

2. Select Identity > Overview > Properties.

3. Click Manage security defaults.

   • Set Security defaults to Disabled.

   • Click Save.

Create a group for PasskeyOnly users

1. Select Users > Groups > All Groups.

2. Click New Group and use the following configuration:

   • Group Name: PasskeyOnly

   • Group Type: Security

3. Add users to the group that should use Passkeys Only for MFA.

Configure conditional access

1. Select Protection > Conditional Access.

2. Switch to Policies.

3. Click New Policy to create a new policy and use the following configuration:

   • Name: Require multifactor authentication for group passkeys only

   • Users: Select the PasskeyOnly group previously created.

4. Switch to Access Controls and configure:

   • Select Grant Access

   • Select Require Authentication Strength.

   • Select Passkeys (FX7) Only in the drop-down list.

   • Click Select.

   • Set Enable Policy to On.

   • Click Save.

Assign a temporary access pass to a user

1. Select Users > All Users.

2. Select a user account.

3. Switch to Authentication Methods.

4. Click Add Authentication Method to configure a new method and use the following configuration settings:

   • Choose Method: Temporary Access Pass

   • Set a duration value.

   • Set One-Time use according to your organizational policies.

5. Click Add.

User login and token registration process

1. The user will go to https://aka.ms/mysecurityinfo.

2. Sign in with the username and the temporary access pass (TAP).

3. Click Security Info.

4. Click Add sign-in method.

5. Select Security Key.

6. Register the security key and name it FX7 (for example).

   The user can now use an FX7 as a passwordless authentication method and can either delete the TAP or let it expire (depending on the settings).