Any updates on this topic?
Specifically @DanBesten’s latest post:
Tried the other week, still no joy.
Non 365/corporate accounts are fine. Guess it’s just final security checks etc
Quite frustrating that Microsoft doesn’t support this.
Any way to put pressure on them or request the feature?
@vbonnet Welcome to the forum!
You can try the Microsoft Feedback Hub:
With my work Microsoft 365 account, it seems to succeed until the very last step where I get this error.
I don’t see the error message at the “name” step but I was able to select the “Security key or passkey” option (see below) rather than just “Security key”.
Still waiting on Microsoft to add support I think, sadly. Really annoying!
Public preview: Expanding passkey support in Microsoft Entra ID | Microsoft Community Hub
I guess it’s weird to make the option available if it doesn’t work though.
It’s in Microsoft “preview”, it does work, just not with all 3rd party providers (BitWarden etc) – yet…
Still nothing… Error after naming the passkey
Still waiting on Microsoft to allow it.
Not sure if it has been said but I know for certain that Azure only allows physical passkeys not syncable passkeys.
I’m assuming the same is with regular (personal) Microsoft accounts.
Yeah, personal accounts work ok with Bitwarden Passkeys.
It’s just the Business/Azure accounts, which as you say, don’t yet support syncable passkeys.
Sidenote: I changed the title from “Unable to create a passkey at Microsoft” to “Unable to create a (syncable) passkey at Microsoft (for non-personal accounts)” to make the subject more clear…
The issue is that Entra (the underlying tech here) does not yet currently support passkeys that can by synced across devices (icloud, bitwarden password managers etc) Enterprises are paranoid and tend to want the passkey to be tied to a specific corporate registered device and Microsoft is enforcing that via forcing you to store your device-bound passkey in Azure Authenticator. The reason the USB based key option may or may not work is that the org policy can be set to block the registration of keys not made by a specific manufacturer that the org wants to give out.
In order for this to work:
(Microsoft needs to add support for synced passkeys. (they may only support certain known good approved apps)
and
Your Organizational policy needs to allow synced passkeys )
OR
(Bitwarden needs to impersonate a usb device.
AND
Your Organizational policy needs to not block based on approved usb hardware vendors)
@sj-bitwarden I would love for Bitwarden to open a dialogue with Microsoft about becoming an “Approved” passkey source for Entra.
As of today Microsoft still blocking this on our Azure AD tenant. I have noticed when I registered a new security key today using YubiCo key it now shows as device-bound on my account. My other YubiCo key that I registered a year ago does not show that so I may re-register it.
Hopefully soon Microsoft will allow this or at least let the Office 365 admins know how this can be changed via policy on the tenant to allow it. I’m the Office 365 admin on our tenant. I will see if there is a setting that I can change.
Created a Feature Request for “Device Bound” Passkeys.
Why is this still not working? It’s really bad to be forced to rely on a separate device for 2FA…
You’re posting in the wrong forum. It’s a Microsoft issue/restriction/limitation, not BW.