Unable to create a (syncable) passkey at Microsoft (for non-personal accounts)

Here:

Ok, technically that is an answer.. But I meant in documentation/support articles/blog post/wherever else people would be looking for such information.

Google search cannot find the AAGUID published on the bitwarden.com domain (other than in a few Community Forum threads, such as this one), but it has been documented by several third parties:

Huzzah! Finally! Just in time for Christmas…

Microsoft recently announced the Public Preview of Synced Passkeys. Prior to this announcement, Microsoft only supported Passkeys that were tied to a device (Device Bound) and did not support the use of Passkeys which could be synchronised between platforms such as Bitwarden, 1Password or platforms without Microsoft Authenticator.

I know from being present here that people are crying out for this. So, in this guide, I’ll show you how to configure Entra ID Authentication Methods to utilise Preview Authentication Profiles and enable Synced Passkeys. After which, I’ll demonstrate how to utilise Bitwarden to host a Passkey and use it across multiple devices.

Adding a Bitwarden Synced Passkey to an Entra ID account – James Vincent

3 Likes

Oh! This is most excellent! I followed your guide and was able to add (synced) passkey to my Bitwarden. :grin:

Now comes the question about “best practices“, we don’t have any strict compliance obligations, but should I just enable synced passkeys on the default profile or create a separate profile just for Bitwarden?:thinking: Although if some of our employees use 1Pass or Dash or whatever else, I wouldn’t mind that either… The more people stop using passwords the better.

It’s an MS preview feature, so hold fire on getting too excited and rolling it into production.

I’d say for now;

  • identify small groups of pilot users and target the ‘synced passkey’ profile to them by targeting a security group with your pilot users in.
  • Make use of the AAGUID filter and add in only the IDs of the vendors you want to allow; 1Pass etc

This is exactly the stage we are at. Small group of people all of whom have a strong tolerance for problems, are willing figure stuff out and understand the need to always have a contingency plan.

Yes, I wouldn’t deploy it to everybody just yet. For now, just the IT department security group so we can experiment and figure out all the workflows for our users once it goes live.

But I’m very excited by this progress. I’m looking forward to making our tenant passwordless. :grin:

I set up the policy and was able to create the passkey in my account but when logging in, I get an error message “Your sign-in was successful, but this passkey oes not meet the criteria set by your administrator. Try signing in with your passkey on Microsoft Authenticator or with a different passkey. Alternatively, contact your administrator for assistance.”. I did restrict by AAGUID but I definitely entered the Bitwarden AAGUID correctly. Anyone else experience this?

I was able to make this work. Check the authentication log for your attempt on the Azure side. I found a few clues there.

The logs just said that the sign-in with this passkey wasn’t allowed. But turns out it was just Microsoft taking its time again. I re-added the passkey this morning and was able to sign in fine. Thanks!

1 Like