Step-by-Step Guide to Using Passkeys in Microsoft 365
ฝัง
- เผยแพร่เมื่อ 5 ส.ค. 2024
- Learn all about passkeys in Microsoft 365 and how they provide phishing-resistant multi-factor authentication! #Microsoft365 #Passkeys #mfa
🆓 FREE Facebook Group
From security to productivity apps to getting the best value from your Microsoft 365 investment, join our Microsoft 365 Mastery Group
/ microsoft365mastery
🆓 FREE Microsoft 365 Guide
Our FREE Guide - Discover 5 things in Microsoft 365 that will save your business time and money….. and one feature that increases your Cyber Security by 99.9%
► Download our guide here today: bearded365guy.com
💻 Want to Work Together?
Drop me an email: jonathan@bearded365guy.com
😁 Follow on Socials
TikTok @bearded365guy
Instagram @bearded365guy
📽️ Video Chapters
00:00 Introduction
02:13 Passkey Analogy
03:15 Enable Passkeys in Admin Centre
05:04 iPhone Setting
06:02 Setup Passkey using Authenticator App
07:59 Setup Passkey using Web Browser
09:43 User Experience using Passkey
10:50 Create Conditional Access Policy
14:16 Final Thoughts
thanks for this video Jonathan, just tried it on my 365 family subscription, and it works like a charm, need to discuss now with my client's CSO 🙂
Fantastic video Jonathan! I really love your work and dedication. Clear, helpful, focused. Please never stop :)
Brilliant (and timely) as ever
While I really like this in theory, unfortunately, because iOS only allows one app to offer PassKeys, this won't work for us. My firm has a BYOD policy, and plenty of our users use their own password solution (e.g. built-in, 1Password, etc) and forcing them to switch to using the MS Auth app is a no go. Hopefully Microsoft works towards allowing other non-MS Auth Passkeys in the near future.
@@JamesWimmer you should test it. I believe it does you need need add the app id to passkey in admin center.
@@StevenMcKenzie-83 I have and it errors out every time I try. Based on what I've read, Microsoft is targeting late 2024 to allow other apps. I could be completely wrong, but right now they only support device bound keys, whereas 1Password would be considered synced keys, which aren't yet supported.
I've gotten 1Password to work but it’s very flaky. I wouldn’t give it to my users, yet 😊
@@JamesWimmer Good point. Hopefully Microsoft will sort this.
Thank you.
Keep it up.
Thanks for the video. I set this up as you described but each time I try and sign in it asks me to insert a security key into the USB port. Any ideas?
Amazing 🤩🤩🤩 now I need to secure my admin accounts 😅
Thanks Jonathan, great video. You didn't cover one particular thing. What happens if you lose the device that has your Passkeys Stored? Phone gets dropped or stolen or left in a taxi after a wild night ?
@@networkn Ring the taxi company 😩 - you can delete a users passkey from the 365 admin centre. I’ll record a video….
@@bearded365guy I get that, however if you have your admins only able to use phish resistant login methods it's a decent sized risk. I'd suggest a two pronged approach like passkeys required outside of main office ip but mfa allowed inside office. Pretty secure still. What do you think?
@@networkn Yes, good idea. But we always have a break glass account for 365 too…. Long long password, no CA, no MFA.
I have a question if I may. I have set it up. Went swimmingly. I can login on the computer I configured the passkey to my Android MS Authenticator, but when I try and login elsewhere, and select passkey, it asks me to insert my USB Key! I've tried a few different browsers etc, no luck! I don't think I missed anything, there are two AAGuids in the config.
So, do you have to keep scanning a QR code to sign in or only do that once?
I would presume your biometric would be primary identifier afterwards?
@@britishagent keep scanning…
Thank Jonathan, always look forward to your new videos. I'm currently testing this is my environment and found that if I enable the Conditional Access policy to require the Phishing-Resistant MFA to log in, my Teams and Outlook are not able to sign in anymore. Have you heard about any development for getting mobile log ins into M365 apps working?
@@kevinbeutler910 Are those Teams and Outlook desktop clients?
@@bearded365guy It's actually Teams and Outlook on Android and iOS devices. The CA policy works fine on desktops. Still trying to troubleshoot but any insight you have would be awesome to hear. 😊
@@kevinbeutler910 Hey Kevin - Im hitting the same snags with the Mobile applications on our Androids. It just doesnt give us the option to use the Passkey in the authentication app.
That's great!
Is it possible to validate the credentials via WHfB? By inputting the PIN or fingerprint? Thank you
@@maltbycentre3394 Yes!
Awesome video. Makes much more sense now how it works. My only question is how do you setup new users who have just started that CA policy will block them right? Or would it go straight to setup page?
@@StevenMcKenzie-83 Ah, I should have included that in the video. You will need to use temporary access passwords as outlined here: learn.microsoft.com/en-us/entra/identity/authentication/howto-authentication-temporary-access-pass
@@bearded365guy so with a new user you give them temporary password and when they sign in it goes straight into passkey registration screen like it would do for MFA
@@StevenMcKenzie-83 Yes, that’s right.
Fantastic video Jonathan! Once the new passkey account has been added to the Microsoft Authenticator app is it safe to assume the users original account can be removed from the authenticator app?
@@techgroupservices I’ve not tested that yet. I don’t want to say either way 😁
Was going to ask the same question
What would you recommend if we want to set this up but for laptop login with their AD/AAD account?
@@hasher87 you can use Windows Hello
Hi Johnathan, I've recently discovered your channel and love the content. Will the passkey keep de session alive indefinitely? Thanks in advance
@@jjrscorpion that would depend on the other policies you have in place 👍
can i ask if this can still be set up on a hybrid set up?
Yes!
Hey Jonathan , can we add multiple passkeys into the MS Authenticator ?...
@@tiqhubwork Yes, I have 3 in mine.
Does enabling the Fido2 security key method stop the 'Security Defaults' company-wide feature from working?
@@ensarguler7684 No, it shouldn’t do.
When enforcing key restrictions in Entra Id, if I have users already using fido2 keys would I have to restrict for those as well so that they continue to work?
@@techjordan Are they Yubikey’s? Read this - support.yubico.com/hc/en-us/articles/360016648959-YubiKey-Hardware-FIDO2-AAGUIDs. If you remember in the video, I added the iOS and Android AAGUIDs
@@techjordan Or you could use groups instead of all users.
Hi Jonathan. Great tutorial! What if users switch phone? Can they switch the passkey also?
@@alexjacxsens5134 they can backup their authenticator app.
important side note: Your mobile device needs to run iOS version 17, or Android version 14, or later.
Great video - thank you for all your content. I'm an Android guy - tried setting this up, believe I have the Passkey registered OK. When I attempt to sign in; I get a 'passkey not found' popup on my phone. I have confirmed that I marked Authenticator as a provider. Anyone else experiencing this issue? - I understand this is still in preview and there may likely be some kinks. Thanks!
@@mdoner If you go into your security info in 365, can you see the passkey registered? Which method did you use to register your passkey?
Hi Johnathan, thanks for the great video, but I have a question, how do bulk users enable the key feature? Thanks!!
@@pkeonz5300 Hi, not sure I quite understand the question….
Through conditional access policy.
Absolutely amazed with your presentation, crisp and complete information!!!
Apart from M365 Business Premium licenses, I suppose this feature should also be available for users with E3 licenses,
What are your thoughts?
@@tejasshirgaonkar9608 yes works for anyone with P1 licence
@@tejasshirgaonkar9608 Yes, it will be!
thanks for the video, i followed all the stesp as explained and when i tried to login i got an error "try again"
@@mohamehima1792 mmm…
Would be cool if this could be used to sign into windows itself.
It really would be cool!
It doesn't work with Web Sign-in for Entra ID joined Windows 11 devices?
@@lee161a Yes, for web sign in. Not to log into Windows PC
@@bearded365guy I mean the feature "Web sign-in for Windows" that gives you an embedded browser window at the Ctrl-Alt-Delete screen to logon with OIDC to Windows.
Currently trying this and i think the CA policy takes time to kick in... maybe ill give it like 2 hrs but i did try the manual one and it doesnt feel seamless.. yubikeys just might be better but more expensive.
EDIT - it works now! 💪
#JonathanEdwards I like your polished helpful content. However, I’m leery of sharing anything with Microsoft. When I do as you suggest @5:23? (e.g. enabling Microsoft Authenticator) Does this share my IOS passwords with Microsoft Authenticator?
@@expensivetechnology9963 No, nothing is shared.
Please stop performing unmarked and misleading advertisements like this.
1. All advertising needs to be clearly marked in all videos.
2. Passkeys don't improve your security, so this advert is misleading from the very first line.
Microsoft should be ashamed of themselves for lying like that. Why would you want to promote that trash?
Hackers have already circumvented passkey "security".
Perhaps you could elaborate….