This guide offers detailed instructions for registering multiple FIDO2 passkeys using PowerShell in EntraID. Follow these steps to streamline the registration process and enhance security with automated, script-based passkey management.
Before you begin
Download the FIDO2 pre-provisioning script for EntraID, available at github.com/wcl-onespan/msft-entra-id-powershell-fido2-pre-provision-keys. This is a PowerShell script that supports automated FIDO2 credential management for Microsoft EntraID.
Pre-registering multiple passkeys in Microsoft EntraID
Pre-registering multiple passkeys in Microsoft EntraID includes the following steps:
Generate FIDO2 credential challenges for pre-provisioning. The FIDO2 credential challenges are used by OneSpan to prepare the FIDO2 authenticators for your users.
Register pre-provisioned FIDO2 keys in Microsoft EntraID. The FIDO2 keys are imported and associated with the respective users.
Step 1: Generate FIDO2 credential challenges for pre-provisioning
Create a list of all users for whom you want to import FIDO2 authenticators. Store that list in a comma-separated values (CSV) file with one column (userPrincipalName).
Run the FIDO2 pre-provisioning scrip to generate the FIDO2 credential challenges:
Open a PowerShell prompt.
Change to the folder where the script is located.
Run the following command:
.\entra-id-pre-provision-keys-onespan-fx7.ps1 ‑Mode generate-challenges ‑TenantId tenant_id ‑CsvPath "user_file" ‑OutputPath "output_file"
Replace the following:
tenant_id. This is your Microsoft EntraID tenant ID.
user_file. The path and name of the user CSV file you created in the first step.
output_file. The path and name of the credential output file to be created.
The script creates a list of user numbers and credential challenges (output_file). Note that the credential challenges expire after 30 days.
Submit your order to OneSpan and include the credential challenges created by the script within 30 days. Afterward, you can safely delete the user file (user_file) and the credential challenges file (output_file).
Once your order has been processed, you will receive pre-provisioned credentials that you can register in EntraID, continue with the next procedure.
FIDO2 credential files contain sensitive information. Store them in a secure location until you use them in the next procedure.
Step 2: Register pre-provisioned credentials in EntraID
Run the FIDO2 pre-provisioning script to register the FIDO2 credential challenges:
Open a PowerShell prompt as an administrative user.
Change to the folder where the script is located.
Run the following command:
.\entra-id-pre-provision-keys-onespan-fx7.ps1 ‑Mode register‑credentials ‑TenantId tenant_id ‑CsvPath "credential_file" ‑Force
Replace the following:
tenant_id. This is your Microsoft EntraID tenant ID.
credential_file. The path and name of the credential file that you have received from OneSpan.
You will be prompted to log on to your M365 EntraID tenant.
Once you are logged on, the registration process will begin.
Register an authenticator:
Plug the DIGIPASS FX7 authenticator into the USB-C port.
Select Security Key.
Register a PIN for the DIGIPASS FX7 authenticator.
.png?sv=2022-11-02&spr=https&st=2025-07-17T14%3A05%3A42Z&se=2025-07-17T14%3A17%3A42Z&sr=c&sp=r&sig=2U6k5TtR4XQpSdKtFqQ%2BzzVz3qKktXcqGwDjb8Xc100%3D)
Touch the DIGIPASS FX7 authenticator to confirm the registration.
Once the registration is complete, you will be prompted to verify the device by entering the PIN and touching the DIGIPASS FX7 authenticator again.
Remove the DIGIPASS FX7 authenticator and prepare the next one.
The registration continues with the next user in the CSV file until there are no more users to process
Once all users in the CSV have been registered, you will see a list of all of the users along with their display names.
Delete the FIDO2 credentials file (credential_file) and any copies of it, as it contains sensitive information and is no longer needed.
Next steps
If you haven’t done so already, provide the DIGIPASS FX7 authenticators to your users. They can immediately start using the authenticators during logon to EntraID-connected applications.