While I really like this in theory, unfortunately, because iOS only allows one app to offer PassKeys, this won't work for us. My firm has a BYOD policy, and plenty of our users use their own password solution (e.g. built-in, 1Password, etc) and forcing them to switch to using the MS Auth app is a no go. Hopefully Microsoft works towards allowing other non-MS Auth Passkeys in the near future.
@@StevenMcKenzie-83 I have and it errors out every time I try. Based on what I've read, Microsoft is targeting late 2024 to allow other apps. I could be completely wrong, but right now they only support device bound keys, whereas 1Password would be considered synced keys, which aren't yet supported.
Thanks Jonathan, great video. You didn't cover one particular thing. What happens if you lose the device that has your Passkeys Stored? Phone gets dropped or stolen or left in a taxi after a wild night ?
@@bearded365guy I get that, however if you have your admins only able to use phish resistant login methods it's a decent sized risk. I'd suggest a two pronged approach like passkeys required outside of main office ip but mfa allowed inside office. Pretty secure still. What do you think?
I have a question if I may. I have set it up. Went swimmingly. I can login on the computer I configured the passkey to my Android MS Authenticator, but when I try and login elsewhere, and select passkey, it asks me to insert my USB Key! I've tried a few different browsers etc, no luck! I don't think I missed anything, there are two AAGuids in the config.
@@bearded365guy I mean the feature "Web sign-in for Windows" that gives you an embedded browser window at the Ctrl-Alt-Delete screen to logon with OIDC to Windows.
Great video - thank you for all your content. I'm an Android guy - tried setting this up, believe I have the Passkey registered OK. When I attempt to sign in; I get a 'passkey not found' popup on my phone. I have confirmed that I marked Authenticator as a provider. Anyone else experiencing this issue? - I understand this is still in preview and there may likely be some kinks. Thanks!
Awesome video. Makes much more sense now how it works. My only question is how do you setup new users who have just started that CA policy will block them right? Or would it go straight to setup page?
@@StevenMcKenzie-83 Ah, I should have included that in the video. You will need to use temporary access passwords as outlined here: learn.microsoft.com/en-us/entra/identity/authentication/howto-authentication-temporary-access-pass
@@bearded365guy so with a new user you give them temporary password and when they sign in it goes straight into passkey registration screen like it would do for MFA
Thank Jonathan, always look forward to your new videos. I'm currently testing this is my environment and found that if I enable the Conditional Access policy to require the Phishing-Resistant MFA to log in, my Teams and Outlook are not able to sign in anymore. Have you heard about any development for getting mobile log ins into M365 apps working?
@@bearded365guy It's actually Teams and Outlook on Android and iOS devices. The CA policy works fine on desktops. Still trying to troubleshoot but any insight you have would be awesome to hear. 😊
@@kevinbeutler910 Hey Kevin - Im hitting the same snags with the Mobile applications on our Androids. It just doesnt give us the option to use the Passkey in the authentication app.
Fantastic video Jonathan! Once the new passkey account has been added to the Microsoft Authenticator app is it safe to assume the users original account can be removed from the authenticator app?
Currently trying this and i think the CA policy takes time to kick in... maybe ill give it like 2 hrs but i did try the manual one and it doesnt feel seamless.. yubikeys just might be better but more expensive. EDIT - it works now! 💪
Absolutely amazed with your presentation, crisp and complete information!!! Apart from M365 Business Premium licenses, I suppose this feature should also be available for users with E3 licenses, What are your thoughts?
When enforcing key restrictions in Entra Id, if I have users already using fido2 keys would I have to restrict for those as well so that they continue to work?
@@techjordan Are they Yubikey’s? Read this - support.yubico.com/hc/en-us/articles/360016648959-YubiKey-Hardware-FIDO2-AAGUIDs. If you remember in the video, I added the iOS and Android AAGUIDs
#JonathanEdwards I like your polished helpful content. However, I’m leery of sharing anything with Microsoft. When I do as you suggest @5:23? (e.g. enabling Microsoft Authenticator) Does this share my IOS passwords with Microsoft Authenticator?
Please stop performing unmarked and misleading advertisements like this. 1. All advertising needs to be clearly marked in all videos. 2. Passkeys don't improve your security, so this advert is misleading from the very first line. Microsoft should be ashamed of themselves for lying like that. Why would you want to promote that trash? Hackers have already circumvented passkey "security".
While I really like this in theory, unfortunately, because iOS only allows one app to offer PassKeys, this won't work for us. My firm has a BYOD policy, and plenty of our users use their own password solution (e.g. built-in, 1Password, etc) and forcing them to switch to using the MS Auth app is a no go. Hopefully Microsoft works towards allowing other non-MS Auth Passkeys in the near future.
@@JamesWimmer you should test it. I believe it does you need need add the app id to passkey in admin center.
@@StevenMcKenzie-83 I have and it errors out every time I try. Based on what I've read, Microsoft is targeting late 2024 to allow other apps. I could be completely wrong, but right now they only support device bound keys, whereas 1Password would be considered synced keys, which aren't yet supported.
I've gotten 1Password to work but it’s very flaky. I wouldn’t give it to my users, yet 😊
@@JamesWimmer Good point. Hopefully Microsoft will sort this.
thanks for this video Jonathan, just tried it on my 365 family subscription, and it works like a charm, need to discuss now with my client's CSO 🙂
important side note: Your mobile device needs to run iOS version 17, or Android version 14, or later.
Thanks for the video. I set this up as you described but each time I try and sign in it asks me to insert a security key into the USB port. Any ideas?
Thanks Jonathan, great video. You didn't cover one particular thing. What happens if you lose the device that has your Passkeys Stored? Phone gets dropped or stolen or left in a taxi after a wild night ?
@@networkn Ring the taxi company 😩 - you can delete a users passkey from the 365 admin centre. I’ll record a video….
@@bearded365guy I get that, however if you have your admins only able to use phish resistant login methods it's a decent sized risk. I'd suggest a two pronged approach like passkeys required outside of main office ip but mfa allowed inside office. Pretty secure still. What do you think?
@@networkn Yes, good idea. But we always have a break glass account for 365 too…. Long long password, no CA, no MFA.
Fantastic video Jonathan! I really love your work and dedication. Clear, helpful, focused. Please never stop :)
I have a question if I may. I have set it up. Went swimmingly. I can login on the computer I configured the passkey to my Android MS Authenticator, but when I try and login elsewhere, and select passkey, it asks me to insert my USB Key! I've tried a few different browsers etc, no luck! I don't think I missed anything, there are two AAGuids in the config.
Thank you.
Keep it up.
Amazing 🤩🤩🤩 now I need to secure my admin accounts 😅
Would be cool if this could be used to sign into windows itself.
It really would be cool!
It doesn't work with Web Sign-in for Entra ID joined Windows 11 devices?
@@lee161a Yes, for web sign in. Not to log into Windows PC
@@bearded365guy I mean the feature "Web sign-in for Windows" that gives you an embedded browser window at the Ctrl-Alt-Delete screen to logon with OIDC to Windows.
Great video - thank you for all your content. I'm an Android guy - tried setting this up, believe I have the Passkey registered OK. When I attempt to sign in; I get a 'passkey not found' popup on my phone. I have confirmed that I marked Authenticator as a provider. Anyone else experiencing this issue? - I understand this is still in preview and there may likely be some kinks. Thanks!
@@mdoner If you go into your security info in 365, can you see the passkey registered? Which method did you use to register your passkey?
Awesome video. Makes much more sense now how it works. My only question is how do you setup new users who have just started that CA policy will block them right? Or would it go straight to setup page?
@@StevenMcKenzie-83 Ah, I should have included that in the video. You will need to use temporary access passwords as outlined here: learn.microsoft.com/en-us/entra/identity/authentication/howto-authentication-temporary-access-pass
@@bearded365guy so with a new user you give them temporary password and when they sign in it goes straight into passkey registration screen like it would do for MFA
@@StevenMcKenzie-83 Yes, that’s right.
Thank Jonathan, always look forward to your new videos. I'm currently testing this is my environment and found that if I enable the Conditional Access policy to require the Phishing-Resistant MFA to log in, my Teams and Outlook are not able to sign in anymore. Have you heard about any development for getting mobile log ins into M365 apps working?
@@kevinbeutler910 Are those Teams and Outlook desktop clients?
@@bearded365guy It's actually Teams and Outlook on Android and iOS devices. The CA policy works fine on desktops. Still trying to troubleshoot but any insight you have would be awesome to hear. 😊
@@kevinbeutler910 Hey Kevin - Im hitting the same snags with the Mobile applications on our Androids. It just doesnt give us the option to use the Passkey in the authentication app.
can i ask if this can still be set up on a hybrid set up?
Yes!
What would you recommend if we want to set this up but for laptop login with their AD/AAD account?
@@hasher87 you can use Windows Hello
So, do you have to keep scanning a QR code to sign in or only do that once?
I would presume your biometric would be primary identifier afterwards?
@@britishagent keep scanning…
Brilliant (and timely) as ever
That's great!
Is it possible to validate the credentials via WHfB? By inputting the PIN or fingerprint? Thank you
@@maltbycentre3394 Yes!
Fantastic video Jonathan! Once the new passkey account has been added to the Microsoft Authenticator app is it safe to assume the users original account can be removed from the authenticator app?
@@techgroupservices I’ve not tested that yet. I don’t want to say either way 😁
Was going to ask the same question
Hi Jonathan. Great tutorial! What if users switch phone? Can they switch the passkey also?
@@alexjacxsens5134 they can backup their authenticator app.
Does enabling the Fido2 security key method stop the 'Security Defaults' company-wide feature from working?
@@ensarguler7684 No, it shouldn’t do.
Currently trying this and i think the CA policy takes time to kick in... maybe ill give it like 2 hrs but i did try the manual one and it doesnt feel seamless.. yubikeys just might be better but more expensive.
EDIT - it works now! 💪
Hi Johnathan, thanks for the great video, but I have a question, how do bulk users enable the key feature? Thanks!!
@@pkeonz5300 Hi, not sure I quite understand the question….
Through conditional access policy.
Absolutely amazed with your presentation, crisp and complete information!!!
Apart from M365 Business Premium licenses, I suppose this feature should also be available for users with E3 licenses,
What are your thoughts?
@@tejasshirgaonkar9608 yes works for anyone with P1 licence
@@tejasshirgaonkar9608 Yes, it will be!
Hi Johnathan, I've recently discovered your channel and love the content. Will the passkey keep de session alive indefinitely? Thanks in advance
@@jjrscorpion that would depend on the other policies you have in place 👍
When enforcing key restrictions in Entra Id, if I have users already using fido2 keys would I have to restrict for those as well so that they continue to work?
@@techjordan Are they Yubikey’s? Read this - support.yubico.com/hc/en-us/articles/360016648959-YubiKey-Hardware-FIDO2-AAGUIDs. If you remember in the video, I added the iOS and Android AAGUIDs
@@techjordan Or you could use groups instead of all users.
Hey Jonathan , can we add multiple passkeys into the MS Authenticator ?...
@@tiqhubwork Yes, I have 3 in mine.
thanks for the video, i followed all the stesp as explained and when i tried to login i got an error "try again"
@@mohamehima1792 mmm…
#JonathanEdwards I like your polished helpful content. However, I’m leery of sharing anything with Microsoft. When I do as you suggest @5:23? (e.g. enabling Microsoft Authenticator) Does this share my IOS passwords with Microsoft Authenticator?
@@expensivetechnology9963 No, nothing is shared.
Please stop performing unmarked and misleading advertisements like this.
1. All advertising needs to be clearly marked in all videos.
2. Passkeys don't improve your security, so this advert is misleading from the very first line.
Microsoft should be ashamed of themselves for lying like that. Why would you want to promote that trash?
Hackers have already circumvented passkey "security".
Perhaps you could elaborate….