Take the fastlane around passwords

What are we trying to do?

In a previous post I covered just how easy logging in with a Yubikey or other similar FIDO2 devices is. Now we’re going to setup this on a new Office 365 Tenant. This feature requires Azure Active Directory and uses a feature that at the time of writing is still in preview.

Prerequisites

• A Yubikey or similar device. I used a Yubikey 5 NFC, but other keys may work as long they support the correct standards - FIDO2, and some additional extra Microsoft specified requirements.

• A modern browser, and modern Operating System. I have tested this on MacOS and Windows 10 (1903 onwards).

• Office 365, with Azure AD Premium P1 or P2. There are cases where you don’t need P1/2 for certain narrow scenarios. As ever, licensing is complex and could fill an entire new blog post. TLDR: If you have an E3 license, you seem to need Azure AD P1. If you are lucky enough to have E5, you will not.

Azure Portal

Sign in to the Azure portal to let the fun begin.

Head to Azure Active Directory from the ribbon of Azure services, and then go to ‘Security’.

In security click on ‘Authentication Methods’. You will be reminded that you don’t have AAD Premium at this point. If you don’t already, start a trial of Azure Active Directory Premium 1.

Now click on Authentication Methods. You should see a list of authentication methods, and the number of users enrolled in them.

Click on the FIDO2 Security Key method.

You will need to enable it, and then choose which users the policy applies to. For a first attempt, I would suggest targeting a single user. Ensure you have selected ‘Allow self-service set up’.

Important - Remember to Enable Preview Features

To do this you must follow the link at the top of the page with “Click here to enable users for the enhanced registration preview”

Now select a group who should be able to use the new preview features. Unless you do this you will not be able to access the new authentication methods.

Self service set up

In a new browser window login to https://myprofile.microsoft.com as the user you want to set the key for

Select ‘Security Info’ from the menu on the left. You will be prompted for your password again to make sure that you are you. If you have already turned on MFA (please say it’s true), you will have to reauthenticate in MFA. If you have just emerged from a 100 years sleep, and don’t yet have MFA enabled you will see a slightly different interface where you will need to set up your first MFA method.

Note: if you will see the classic rather than modern interface, you need to enable the preview features - which is the last step above

Now, just ‘Add method’ and choose Security Key

You will probably be asked to sign in with MFA again.

Now choose a device, and select a USB device

You will then be walked through setting up the key. If you have entered a PIN previously for the device you will need to provide this

You will then need to touch the device and allow the device to be registered - this will vary slightly depending on browser

Then you will go back to the mysignins.microsoft.com site to finish by providing a name for the key key

All done! Use the key instead of a username and password to login in with a Yubikey instead.