Unable to create a passkey at Microsoft

For a personal account using login.live.com adding a passkey is perfectly fine, but at entra.microsoft.com and myaccount.microsoft.com, I am able to go through all of the steps, but when it comes to naming the entry - it always fails (see below).

I have successfully added passkeys using a Yubico FIDO2 hardware key. I have been able to create and store passkeys in all my online accounts, except at Microsoft (O365/M365/Entra).

Lots of posts about passkeys not showing up - or not appear once added in various MS services… but nothing much about being unable to add a passkey, when other security keys work perfectly fine.

Tried:

• Different user account
• On a different tenant
• Via MyAccount and,
• Global Admin via Entra AD console direct

Bug? Or am I missing something?

Are you logging into a Windows account with Hello?

Via a domain account, usually using a Hello biometric. Suggesting I log in with the account password instead?

I don’t know, but I understand Windows only supports passkey creation using Windows Hello. But your case may be different.

Tried a non-AD account which does not even have Hello configured - same problem. Moved on to a VM with Windows Hello disabled entirely - and still the problem persists. Doesn’t work on Android, iOS or MacOS either.

Seems there is a more deep-seated issue at play.

Note to self: don’t use the back button and pay attention. Apologies for double posting.

Microsoft being as big as it is, I’d bet you’d find the answer on how to set it up on one of their support forums. Might try that and see if you get help.

Went there too… the usual copy and paste net warriors with nothing else to suggest than to reset and reconfigure the entire 2FA setup (which was the first and most obvious thing when using MS AD ). And still no joy.

Seems its MS being very picky. Now tried:

• NordPass
• Apple Keychain
• 1Password

And none of them will work with Entra / MS AD. Seems a wallet passkey is for the personal user only. For corporate users, it has to be a physical key.

image822×362 16.5 KB

Article Link

Despite being slated for January 2024 - implementation / rollout is still pending.

Interesting! Passkeys are still an evolving technology that has a ways to go before being fully standardized, so I will pass this information on to our team so we can keep an eye out.

Just to confirm that the Bitwarden AAGUID is:

d548826e-79b4-db40-a3d8-11116f7e8349

Update:
Seems the latest unofficial update is that the passkey rollout has been pushed: January >> end of February >> mid-March >> April (*ish)

I’ve been waiting for the update in Entra, to enable passkey support for our users too.

MC690185 in the Microsoft Admin Message Center https://admin.cloud.microsoft/?ref=MessageCenter/:/messages/MC690185 had official info about it, but the last update was mid-Feb saying it’d be available mid-March

There’s also MC718260 which was updated at end of Feb to say:

Public Preview: We will begin rolling out early March 2024 and expect to complete by mid-March 2024.

Worldwide, GCC, GCC High, DoD: We will begin rolling out late April 2024 and expect to complete by early May 2024.

Not sure if either of those two links are public, but there’s also the roadmap item at Microsoft 365 Roadmap | Microsoft 365 that might be

@EionRobb, welcome to the community and thanks for the pointer.

This is the critical bit:

Microsoft Entra ID will add support for device-bound passkeys stored on computers and mobile devices as an authentication method in preview, in addition to the existing support for FIDO2 security keys.

Bitwarden, Apple, and most others allow syncable Passkeys; Microsoft seems dead-set on device-bound.

Same issue, I was able to inconsistently get the registration process started and save the key to Bitwarden but when entering a name for the key, I get the same error.

Also, the Passkey popup does not show up consistently and is intercepted by the USB handler on Chrome and Edge.

FYI for a list of other useful AAGUIDs >>>

I’ve tried adding Bitwarden Passkeys again today - still nothing.

Following in the hope it “starts to work at somepoint”.

I’ve also started experimenting with this and have been unable to configure Bitwarden or iCloud/iOS to use passkeys. I get to the end of the process then receive the same error message alcyone7 posted. I did get Windows Authenticator configured to use passkeys as well as Yubikey (Yubikey is a “Microsoft-compatible security key vendor” listed here → https://learn.microsoft.com/en-us/entra/identity/authentication/concept-fido2-hardware-vendor#current-partners

The article EionRobb referenced talks about an upcoming naming convention change in Entra ID authentication methods portal (renaming “FIDO2 security keys” to “Passkeys (FIDO2)” but that name change has not happened in my portal yet, so I assume support for device-bound passkeys (i.e. mobile apps that are not Microsoft Authenticator) has not happened yet either.

Seems like they are on the cusp of enabling this but have not for some reason. I hear the big software vendors (Microsoft, Apple, Google, etc) are all trying to co-opt passkey technology and platform-lock users into their own respective products, my gut feeling is that is what’s happening here.

Or it is supported and I’m just not doing it right, that’s a possiblity too, ha.

I think it’s the former, in that support just isn’t quite there yet.

Microsoft Entra ID will add support for device-bound passkeys stored on computers and mobile devices as an authentication method in preview, in addition to the existing support for FIDO2 security keys.

Bitwarden, Apple, and most others allow syncable Passkeys; Microsoft seems dead-set on device-bound

Interesting, I was about to create a thread of this exact issue with the error Additional details

Correlation ID:15062bd4-92a7-4985-a14a-c6b430b069f0

I was not aware it was Microsoft hard blocking the functionality, sucks.

image699×485 20.4 KB

More optimistic news has surfaced since my earlier comment: