Export FIDO2 registration info – Entra ID

FIDO2 security keys are brilliant. They enable a phishing-resistant and passwordless sign-n experience.
In the old days, they were only available in physical (hardware) versions, like YubiKeys.

However, the FIDO2 standard has been expanded to other form factors, like device-bound passkeys. For example, iOS, Mac, Android, and Windows support passkeys to allow for a passwordless sign-in experience to websites and apps. These pass(FIDO2)keys are stored on the device in a secure container which differs from device/OS.

Entra ID

Entra ID supports the use of device-bound passkeys (currently in preview), which are registered and displayed as FIDO2 security keys within Entra ID. Microsoft will (soon) also introduce the support of device-bound passkeys using the Microsoft Authenticator App.

By default, when Entra ID is configured to allow FIDO2 as an authentication method, it allows for the use of all FIDO2/passkeys. For usability this is perfect. However, there could be reasons why you might want to restrict the use of these keys. Entra ID offers the option to configure a Key Restriction Policy which offers the option to only allow certain types or specifically blocking certain types. These restrictions are based on the AAGUID of the keys which is a unique ID for specific security keys.

The AAGUIDs of the hardware-based FIDO2 security keys can be found on the website of the specific vendor.

Report

What if you want to check which FIDO2 security keys (including AAGUID) are registered within your tenant?
I’ve created a PowerShell script which produces an export (CSV format) including the AAGUID of the registered FIDO2 security keys per user and other information like the model. The report file includes all of the following information:

The script also generates a list of key models with the number of times they have been registered.

Requirements

The script has the following requirements:

  • Microsoft Graph Powershell SDK (will be installed if not present)
  • Graph permissions:
    • User.Read.All
    • UserAuthenticationMethod.Read.All
    • UserAuthMethod-Passkey.Read.All

More information

For more information and download of the script, see GitHub: https://github.com/MichelvanVliet/Scripts/blob/main/Entra/Export-Fido2Info.ps1

One thought on “Export FIDO2 registration info – Entra ID

Add yours

  1. Pingback: Entra device bound passkeys are here, all you need to know! – Identity Man

Leave a comment

Blog at WordPress.com.

Up ↑