Public preview: Microsoft Entra ID FIDO2 provisioning APIs

Today I'm excited to announce a great new way to onboard employees with admin provisioning of FIDO2 security keys (passkeys) on behalf of users.

Our customers love passkeys as a phishing-resistant method for their users, but some were concerned that registration was limited to users registering their own security keys. Today we’re announcing the new Microsoft Entra ID FIDO2 provisioning APIs that empowers organizations to handle this provisioning for their users, providing secure and seamless authentication from day one.

While customers can still deploy security keys in their default configuration to their users, or allow users to bring their own security keys which requires self-service registration by a user, the APIs allow keys to be pre-provisioned for users, so users have an easier experience on first use.

Adopting phishing-resistant authentication is critical - attackers have increased their use of Adversary-in-the-Middle (AitM) phishing and social engineering attacks to target MFA-enabled users. Phishing-resistant authentication methods, including passkeys, certificate-based authentication (CBA), and Windows Hello for Business, are the best ways to protect from these attacks.

Phishing-resistant authentication is also a key requirement of Executive Order 14028 which requires phishing-resistant authentication for all agency staff, contractors, and partners. While most federal customers use preexisting smartcard systems to achieve compliance, passkeys provide a secure alternative for their users looking for improved ways to securely sign in. With today’s release of admin provisioning, they also have a simplified onboarding process for users.

With the Microsoft Entra ID FIDO2 provisioning APIs organizations can build their own admin provisioning clients, or partner with one of the many leading credential management system (CMS) providers who have integrated our APIs in their offerings.

Tim Larson, Senior Product Manager on Microsoft Entra, will now walk you through this new capability that will help in your transition towards phishing-resistant multifactor authentication (MFA).

Thanks, and please let us know your thoughts!

Alex Weinert

Hello everyone,

Tim here from the Microsoft Entra product management team. I’m excited to share with you our new passkey (FIDO2) provisioning capabilities in Entra ID!

Back in May we shared how we’re expanding passkey support in Microsoft Entra ID with the addition of device-bound passkey support in Microsoft Authenticator. As part of our commitment to provide more passkey capabilities we’ve enhanced our passkey (FIDO2) credential APIs to make onboarding security keys for users more convenient.

How does it work?

With the enhancements made to our passkey (FIDO2) credential APIs you can now request WebAuthn creation options from Entra ID and use the returned data to create and register passkey credential on behalf of a user.

To simplify this process, three (3) main steps are required to register a security key on behalf of a user.

Request creationOptions for a user: Entra ID will return the necessary data for your client to provision a passkey (FIDO2) credential. This includes information like user information, relying party, credential policy requirements, algorithms, and more.
Provision the passkey (FIDO2) credential with the creationOptions: Using the creationOptions utilize a client or script which supports the Client to Authenticator Protocol (CTAP), to provision the credential. During this step you’ll need to insert a security key and set a PIN.
Register the provisioned credential with Entra ID: Utilizing the output from the provisioning process, provide Entra ID with the necessary data to register the passkey (FIDO2) credential for the targeted user.

Build your own app or use a CMS vendor offering

In addition to providing the tools above, Microsoft has also collaborated with 10 leading vendors in the CMS space to integrate the new FIDO2 provisioning APIs. These vendors have rigorously tested and are fully knowledgeable in the new APIs, and are available to help you in your provisioning journey if creating your own integration isn’t something you want to do.

This partnership underscores our commitment to delivering a secure and interoperable ecosystem for our customers. These vendors represent a diverse range of CMS solutions, each bringing unique insights and expertise to the table. Their involvement has been instrumental in ensuring that the APIs are robust, versatile, and ready for real-world challenges.

As we roll out the public preview, we are proud to announce that these vendors have pledged their support, integrating the APIs into their platforms. This collaboration not only enhances the security landscape but also paves the way for seamless adoption across various industries.

What’s next?

This public preview is the next step in our passkey journey and we’re gearing up for even more passkey (FIDO2) provisioning features. We’re looking forward to building provisioning capabilities into the Entra admin center which will empower help desk and other admins the ability to directly provision FIDO2 security keys for users.

To learn more about everything discussed here, check out how to enable passkeys (FIDO2) for your organization and review our Microsoft Graph API documentation. Reach out to your preferred CMS provider to learn more about their integrations with the Microsoft Entra ID FIDO2 Provisioning APIs.

Thanks,

Tim Larson

Read more on this topic

Public preview: Expanding passkey support in Microsoft Entra ID - Microsoft Community Hub

Learn more about Microsoft Entra

Prevent identity attacks, ensure least privilege access, unify access controls, and improve the experience for users with comprehensive identity and network access solutions across on-premises and clouds.

Published on: August 07, 2024

Learn more

Azure Active Directory Identity Blog articles

Blog image