Unable to create a passkey at Microsoft

For a personal account using login.live.com adding a passkey is perfectly fine, but at entra.microsoft.com and myaccount.microsoft.com, I am able to go through all of the steps, but when it comes to naming the entry - it always fails (see below).

I have successfully added passkeys using a Yubico FIDO2 hardware key. I have been able to create and store passkeys in all my online accounts, except at Microsoft (O365/M365/Entra).

image

Lots of posts about passkeys not showing up - or not appear once added in various MS services… but nothing much about being unable to add a passkey, when other security keys work perfectly fine.

Tried:

  • Different user account
  • On a different tenant
  • Via MyAccount and,
  • Global Admin via Entra AD console direct

Bug? Or am I missing something?

2 Likes

Are you logging into a Windows account with Hello?

Via a domain account, usually using a Hello biometric. Suggesting I log in with the account password instead?

I don’t know, but I understand Windows only supports passkey creation using Windows Hello. But your case may be different.

Tried a non-AD account which does not even have Hello configured - same problem. Moved on to a VM with Windows Hello disabled entirely - and still the problem persists. Doesn’t work on Android, iOS or MacOS either.

Seems there is a more deep-seated issue at play.

Note to self: don’t use the back button and pay attention. Apologies for double posting.

Microsoft being as big as it is, I’d bet you’d find the answer on how to set it up on one of their support forums. Might try that and see if you get help.

Went there too… the usual copy and paste net warriors with nothing else to suggest than to reset and reconfigure the entire 2FA setup (which was the first and most obvious thing when using MS AD :smile:). And still no joy.

1 Like

Seems its MS being very picky. Now tried:

  • NordPass
  • Apple Keychain
  • 1Password

And none of them will work with Entra / MS AD. Seems a wallet passkey is for the personal user only. For corporate users, it has to be a physical key.

Article Link

Despite being slated for January 2024 - implementation / rollout is still pending.

1 Like

Interesting! Passkeys are still an evolving technology that has a ways to go before being fully standardized, so I will pass this information on to our team so we can keep an eye out. :eyes:

Just to confirm that the Bitwarden AAGUID is:

d548826e-79b4-db40-a3d8-11116f7e8349

Update:
Seems the latest unofficial update is that the passkey rollout has been pushed: January >> end of February >> mid-March >> April (*ish)

I’ve been waiting for the update in Entra, to enable passkey support for our users too.

MC690185 in the Microsoft Admin Message Center https://admin.cloud.microsoft/?ref=MessageCenter/:/messages/MC690185 had official info about it, but the last update was mid-Feb saying it’d be available mid-March

There’s also MC718260 which was updated at end of Feb to say:

Public Preview: We will begin rolling out early March 2024 and expect to complete by mid-March 2024.

Worldwide, GCC, GCC High, DoD: We will begin rolling out late April 2024 and expect to complete by early May 2024.

Not sure if either of those two links are public, but there’s also the roadmap item at Microsoft 365 Roadmap | Microsoft 365 that might be

1 Like

@EionRobb, welcome to the community and thanks for the pointer.

This is the critical bit:

Microsoft Entra ID will add support for device-bound passkeys stored on computers and mobile devices as an authentication method in preview, in addition to the existing support for FIDO2 security keys.

Bitwarden, Apple, and most others allow syncable Passkeys; Microsoft seems dead-set on device-bound.

Same issue, I was able to inconsistently get the registration process started and save the key to Bitwarden but when entering a name for the key, I get the same error.

Also, the Passkey popup does not show up consistently and is intercepted by the USB handler on Chrome and Edge.