Restricting FIDO2 Passkey Use to Specific Hardware Models in Microsoft Entra

If you didn't know, Microsoft offers the option to define the type of FIDO2 Passkey device that can be used for registration in your Azure Tenant. This feature is especially beneficial for users who want to be precise about the authentication methods they permit

And the great thing is, it's easy to do!

Note, this article doesn't cover the process of configuring the entire policy, and just focuses on how to add approved FIDO2 hardware.

To configure, simply do the following:

1. Go to https://portal.azure.com

2. Select "Microsoft Entra ID"

3. Click "Security" > "Authentication Methods" > "Password (FIDO2)"

4. Click the "Configure" option, then where it says "Restrict specific keys", select "Allow".

Now each hardware vendor has specific AAGUID's (Authenticator Attestation GUID) for their hardware devices. For example, the Microsoft Authenticator app ID's are shown by highlighting the information option shown below.

So please ensure you look find the appropriate AAGUID for your vendor and model accordingly, then just add to the list as needed. For reference, the image shows two types of YubiKey devices.

And that's it, you're all set up!