How to Set Up Hardware Key MFA With Azure AD

Security tokens are hardware devices that can act as a secondary (or sometimes primary) authentication method for online services. I recently purchased two YubiKey 5 tokens from Yubico, a popular security key vendor, and wanted to set them up so that they can be used as a MFA device with Azure AD.

This is a quick tutorial to set up your Azure AD tenant to allow hardware tokens for MFA and allow users to enroll their tokens.

Tutorial

Warning

Full support for FIDO2 keys is only available on Windows as of writing this article. Limited support is available on MacOS, Linux, and ChromeOS. Mobile devices currently have no support for FIDO2 security keys.

If you plan on enabling Conditional Access to require FIDO2 keys on login, be aware that users will not be able to log in at all using iOS and Android devices.

Read this Microsoft article to learn more.

Enable FIDO2 security key authentication

Navigate to the Microsoft Azure portal and open the “Azure Active Directory” product
In the sidebar, select “Security” and then select “Authentication methods”
On the default “Policies” page, select “FIDO2 security key” in the list of authentication methods
Under “Enable” select “Yes” and under “Target” select “All users”
Click the “Configure” tab at the top of the page. On this page, select “Yes” for “Allow self-service set up” and “Enforce attestation”

Note

By enabling “Enforce attestation”, Azure AD will only allow users to enroll security key models that are approved by Microsoft. You can read more about Microsoft-approved security keys here .
Save your changes by clicking “Save” at the bottom of the page. Users will be able to enroll their security tokens as a MFA device after 30-60 minutes.

Warning

Upon enabling this setting, users will be prompted to set up or verify their security information on next login. Make sure to notify users accordingly.

Enrolling users with hardware security keys

Have users navigate to https://myaccount.microsoft.com/ and sign in.
Click “UPDATE INFO” in the “Security info” card.
On the “Security info” page, click “Add sign-in method” and click “Security Key”.
You will be prompted to select the kind of security key that you have. If you have a Yubikey, or other type of security key that uses a port on your computer to authenticate (USB, USB-C, etc.), select “USB device”. Some other hardware security devices use NFC (like some smart cards), for which you would select “NFC device”.
After selecting the type of key, click “Next” on the following screen. You will be redirected to a new page. A Windows Security screen will show with instructions to insert your USB device.
If you are setting up the key for the first time, you will be prompted to create a pin. Otherwise, you will enter the pin you created when the device was set up.
After entering a name for your security key, your device will be completely set up and you will be able to use it as a MFA device.