Skip to content
/ EntraIDPasskeyHelper Public

PowerShell module to manage the Entra ID device-bound passkey feature

License

MIT license
26 stars 2 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

f-bader/EntraIDPasskeyHelper

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

22 Commits
.github/workflows
.github/workflows
 
 
src
src
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 

Repository files navigation

Entra ID device-bound passkey preview

This module helps you to enable the Entra ID device-bound passkey preview feature for your organization.

The Entra ID device-bound passkey preview feature allows you to use the Entra ID device-bound passkey as an authentication method for your organization.

Installation

To install the module from the PowerShell Gallery, you can use the following command:

Install-Module -Name EntraIDPasskeyHelper

You find the module in the PowerShell Gallery.

PSGallery Version PSGallery Downloads

Usage

Example #1

This example enables the Entra ID device-bound passkey preview feature for all new Microsoft AAGUIDs while maintaining all existing AAGUIDs. It first queries all passkey device-bound AAGUIDs already present in current tenant and then sets the authentication method policy for passkeys/FIDO2. Since the parameter -MicrosoftAAGUIDsAllowed is set to All, all Microsoft AAGUIDs are allowed as passkeys.

# Connect to Microsoft Graph
Connect-MgGraph -Scopes "AuditLog.Read.All", "Policy.ReadWrite.AuthenticationMethod", "User.Read.All", "UserAuthenticationMethod.Read.All"
# Enable the Entra ID device-bound passkey preview feature for all new Microsoft AAGUIDs while maintaining all existing AAGUIDs
Get-PasskeyDeviceBoundAAGUID | Set-PasskeyAuthenticationMethodsPolicy -MicrosoftAAGUIDsAllowed All

Example #2

In this example, the Entra ID device-bound passkey preview feature is enabled, while maintaining all existing AAGUIDs but only allowing a subset of the new Microsoft AAGUIDs.

# Connect to Microsoft Graph
Connect-MgGraph -Scopes "AuditLog.Read.All", "Policy.ReadWrite.AuthenticationMethod", "User.Read.All", "UserAuthenticationMethod.Read.All"
# Enable the Entra ID device-bound passkey preview feature for Android AAGUIDs while maintaining all existing AAGUIDs
Get-PasskeyDeviceBoundAAGUID | Set-PasskeyAuthenticationMethodsPolicy -MicrosoftAAGUIDsAllowed 'Android' -OverwriteExistingAAGUIDs

Example #3

If you would like to configure the authentication policy method yourself, you can use the following example to gather information about all currently registered FIDO2 security keys.

# Connect to Microsoft Graph
Connect-MgGraph -Scopes "AuditLog.Read.All", "User.Read.All", "UserAuthenticationMethod.Read.All" -DeviceCode -NoWelcome
# Gather information about all currently registered FIDO2 security keys
Get-PasskeyDeviceBoundAAGUID

Known limitations

If the tenant is not licensed with Entra ID P1 or P2 the Microsoft Graph endpoint 'reports/authenticationMethods/userRegistrationDetails' is not available. In this case all users are enumerated and check for authentication methods.

This can be a very slow process if you have thousands of users.

About

PowerShell module to manage the Entra ID device-bound passkey feature

Resources

Readme

License

MIT license
Activity

Stars

26 stars

Watchers

2 watching

Forks

2 forks
Report repository

Releases 4

1.0.3 Latest
Jun 5, 2024
+ 3 releases

Packages

No packages published

Languages