This article provides instructions on assigning a FIDO2 passkey using PowerShell in EntraID. Follow these steps to simplify the registration process and boost security with automated, script-based passkey management.
Before you begin
Download the FIDO2 provisioning script for EntraID, available at github.com/wcl-onespan/msft-entra-id-powershell-fido2-provisioning-script. This is a PowerShell script that supports automated FIDO2 registration in Microsoft EntraID on behalf of other users.
Register the FIDO2 authenticators that you want to assign in EntraID (see Registering a passkey in Microsoft EntraID manually).
Assigning a passkey in EntraID using PowerShell
You can use the FIDO2 provisioning script for EntraID to assign a single user to an authenticator, or use it to assign multiple users to authenticators in bulk by providing a comma-separated values (CSV) file.
Option A: Assigning one passkey to one user
To assign one passkey to one user
Run the FIDO2 provisioning scrip to register the user:
Open a PowerShell prompt as a local administrative user.
Change to the folder where the script is located.
Run the following command:
.\entra-id-pre-provision-onespan-fx7.ps1 ‑TenantID tenant_id ‑UPN user_id ‑SerialID serial_number
Replace the following:
tenant_id. This is your Microsoft EntraID tenant ID.
user_id. The user princial name of the user, for example, user@domain.com.
serial_number. The serial number of the DIGIPASS FX7 authenticator.
The serialID will be the device's display name (DisplayName) in the user's M365 profile. It does not need to be unique for each user.
Enter the UPN of the user.
You will be prompted to log on to your M365 EntraID tenant.
Once you are logged on, the registration process will begin.
Plug the DIGIPASS FX7 authenticator into the USB-C port.
Select Security Key.
Register a PIN for the DIGIPASS FX7 authenticator.
Touch the DIGIPASS FX7 authenticator to confirm the registration.
Once the registration is complete, you will be prompted to verify the device by entering the PIN and touching the DIGIPASS FX7 authenticator again.
Once the process is complete, you will see a summary of the device registration.
The DIGIPASS FX7 authenticator is now registered and ready for use on that account.
Option B: Assigning multiple passkeys to multiple users
To assign multiple passkeys to multiple users in bulk
Create a list of all users and the respective FIDO2 authenticators that you want to assign. Store that list in a comma-separated values (CSV) file with two columns (UPN, serialID).
UPN,SerialID user1@domain.com,FX7-12345678 user2@domain.com,FX7-87654321Run the FIDO2 provisioning scrip to register the users in bulk:
Open a PowerShell prompt as a local administrative user.
Change to the folder where the script is located.
Run the following command:
.\entra-id-pre-provision-onespan-fx7.ps1 ‑TenantID tenant_id ‑CsvFilePath user_file
Replace the following:
tenant_id. This is your Microsoft EntraID tenant ID.
user_file. The path and name of the user CSV file you created in the first step.
Assign an authenticator:
Plug the DIGIPASS FX7 authenticator into the USB-C port.
Select Security Key.
Register a PIN for the DIGIPASS FX7 authenticator.
Touch the DIGIPASS FX7 authenticator to confirm the registration.
Once the registration is complete, you will be prompted to verify the device by entering the PIN and touching the DIGIPASS FX7 authenticator again.
Remove the DIGIPASS FX7 authenticator and prepare the next one.
The registration continues with the next user in the CSV file until there are no more users to process.
When you have registered all users in the CSV file, you will see a list of all the users along with their display names.
Next steps
If you haven’t done so already, provide the DIGIPASS FX7 authenticators to your users. They can immediately start using the authenticators during logon to EntraID-connected applications.