Configuring Microsoft Entra ID

The steps in this section register the container APIs and expose them so they can be used by the calling applications, for example a web app or ITSMs in the customer environment.

Note

Most of the registration steps can be performed by an admin user with the Application Administrator role. However, to complete some steps a user with the Global Administrator role is required as indicated in the procedure.

Enabling Passkey (FIDO2) Authentication

In this step you will configure the authentication methods policies used in Microsoft Entra ID.

Note

To complete these configuration steps you must have either the Authentication Policy Administrator or the Global Administrator role.

To configure the Microsoft Entra ID policies to allow the use of YubiKeys, do the following:

Sign in to the Microsoft Entra admin center with at least the Authentication Policy Administrator role.
Under Entra ID, click Authentication methods > Policies.
Under the method Passkey (FIDO2), set the toggle to “Enable”. Select “All users” or “Add groups” to select specific groups. Only security groups are supported (you cannot use dynamic groups or individual users).
Save the configuration.

The Configure tab has additional settings to control the type of passkeys supported in the customer tenant, and their registration requirements:

Allow self-service set up: Must be set to “Yes”. If this is disabled, YubiKeys cannot be registered, not even using administrative registration processes.
Enforce attestation: Recommended setting “Yes”. Using cryptographic evidence attestation ensures that registered authenticators are genuine YubiKeys and not fraudulent products or low-assurance passkey credentials (which might not be able to support attestation).
Enforce key restrictions: Recommended setting “Yes”. This lets your organization allowlist specific YubiKey models by their associated Authenticator Attestation GUID (AAGUID). For more information, see YubiKey hardware FIDO2 AAGUIDs.

Important

If security keys such as device-bound passkeys or other types of passkeys are already used in your Microsoft Entra ID environment, ensure that these configuration changes do not break the sign-in for existing users.

For more information, see Enable passkeys (FIDO2) for your organization (Microsoft documentation).

Registering Apps

In this step you will register the FIDO Connector app and the FIDO Pre-reg Test Client (optional) for testing your deployment.

Note

Most of the registration steps can be performed by an admin user with the Application Administrator role. However, to complete some steps a user with the Global Administrator role is required as indicated in the procedure.

FIDO Connector App

To register the FIDO Connector App, do the following:

Sign in to the Microsoft Entra admin center and expand the Entra ID section.
Click App registrations.
Click + New registration.
Provide a descriptive Name, for example “Yubico FIDO Pre-reg Client App”.
Click Register.
Under Manage, click API permissions.
Click + Add a permission.
Select “Microsoft Graph”.
Click Application permissions.
Search for “UserAuthMethod-Passkey.ReadWrite.All” and select the permission.
Click Add permissions.
Next to the list of permissions, select “Grant admin consent for {tenant name}”. Note that the Global Administrator role is required for this step.
Under the Manage section for the app, click Expose an API.
Click Add next to the Application ID URI.
Edit the Application ID URI to a value like api://fido-connector-api.{verified domain name}.
- The verified domain name can be either a custom domain that has been verified by the tenant, or you can use the default domain that ends with “.onmicrosoft.com”.
- The Application ID URI represents the scope that clients will use when authenticating to call the API. This value will be populated as an ARM template parameter FIDO_Connector_Allowed_Audiences. The URI does not need to be resolvable, but should have a descriptive scope name.
- Save the value of the URI for later use.
Click Save.
Under Manage > Expose an API, click + Add a scope and set the following:
- For Scope name and Admin consent display name, enter “create_request”.
- For Consent, select “Admins only”.
- For the Admin consent description, enter “Allows Yubico FIDO Pre-reg requests”.
Click Add scope.
Under Manage, click Certificates & secrets.
Click + New client secret.
Provide a Description, for example “YFPR Service - Client Secret”, and use the recommended Expires option.
Click Add.
Save the Value of the Secret ID for later use in the ARM template for the FIDO_Connector_Client_Secret.
In the Microsoft Entra Admin center, click Overview for the FIDO Connector app.
Save the Application (client) ID value for later use in the ARM template for the FIDO_Connector_Client_Id.

For more information, see Register an application with the Microsoft identity platform (Microsoft documentation).

FIDO Pre-reg Test Client

Registering this app is optional. However, the app is useful when testing direct calls to the FIDO Connector App. The application credentials created here can be used in a Postman test client or any other HTTP test client when testing the app deployment.

To register the FIDO Pre-reg Test Client app, do the following:

Sign in to the Microsoft Entra admin center and expand the Entra ID section.
Click App registrations.
Click + New registration.
Provide a descriptive Name like “Yubico FIDO Pre-reg Test Client” and click Register.
Under Manage, select API permissions.
Click + Add a permission.
Click APIs my organization uses at the top.
Search for Credential-Container-API and select the API in the list.
Select create_request.
Click Add permissions.
Under Manage, click Certificates & secrets.
Click + New client secret.
Provide a Description, for example “YFPR Service - Client Secret”, and use the recommended Expires option.
Click Add.

The app credentials you created here will be used later when testing the app deployment. For more information, see Testing the Deployment.