Registering YubiKeys in EntraID via Enrollment

The challenge

Companies must find secure and user-friendly solutions to effectively protect all employees. Without modern authentication methods, the IT effort required for authentication and the vulnerability to phishing attacks increase.

Our solution

By registering YubiKeys in Microsoft Entra ID via Enrollment, YubiKeys are automatically registered for all desired users — for secure, user-friendly, and phishing-resistant authentication with minimal IT effort.

Configure Microsoft Entra ID

This article describes the steps required to configure Microsoft Entra ID, including enabling FIDO2 authentication, registering the application, and assigning the required API permissions.

Important

Since this functionality is still in BETA from Microsoft, it may be subject to change in future releases.

How to configure Microsoft Entra ID

1. Go to Microsoft Entra Admin Center or to Microsoft Azure.
2. Log in with your administrator credentials.
3. Enable FIDO2 passwordless authentication in Microsoft Entra ID:
   • For Microsoft Entra Admin Center: Navigate to Identity > Protection > Authentication methods > Guidelines.
   • For Microsoft Azure: Navigate to Microsoft Access ID > Safety > Manage > Authentication methods > Guidelines.
4. click on Master key (FIDO2).
5. Activate under Activate and target the switch.
6. Choose under Include the option All users or  Select groups .
7. (Optional) Select Configure to customize the master key settings according to your organization's security requirements.
8. click on Save.
   
   
9. Register the application (if not already registered) and configure the required API permissions:
   • Go to App registrations.
   • If your application is not yet registered, click New registrationand enter the required registration information for your application.
   • Select your application and navigate to API permissions.
   • Make sure the following API permissions are added to allow the application to interact with Microsoft Entra ID:
     • Directory.Read.All
     • Group.Read.All
     • User.Read.All
     • UserAuthenticationMethod.ReadWrite.All
   • Ensure that administrator consent is granted for the requested permissions.
     
     
     
     Microsoft Entra ID is successfully configured.

Next steps: Enable passwordless authentication for Microsoft Entra ID via Enrollment

Before proceeding, ensure that a Microsoft Entra ID import source has been created and configured within the appropriate organization to synchronize users.

After Microsoft Entra ID is configured, proceed to the next step and add the step Passwordless authentication with Microsoft Entra ID to YubiKey Enrollment to register YubiKeys in Entra ID and enable FIDO2-based passwordless logins for selected users and/or groups.