Share via

Cannot opt for Passkey method from user side.

Batman 20 Reputation points
2025-02-05T18:48:05.2666667+00:00

Hi,

I've created conditional access policy to enforce passkey authentication and at the time of login test user I can see the below popupUser's image

but when i tried to proceed further in order to assign Yubikey, below error occors

User's image

Please check and let me know how I can resolve this issue.

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
23,742 questions
0 comments
Accepted answer
  1. Andy David - MVP 153.7K Reputation points MVP
    2025-02-07T11:28:25.9333333+00:00

    Since you can not accept your own fix as the answer, I have added here. If you desire, please mark this as the answer so others can benefit. thank you.

    FYI, passkey enrollment is possible at the time of logging-in the problem was with the AAGUID, I was needed to add AAGUID based on the Yubikey model on Authentication Strengths and then, I didn't see any error while enrolling key from user's side.

    Thank You

    User's image

    0 comments

4 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Andy David - MVP 153.7K Reputation points MVP
    2025-02-05T19:34:58.6266667+00:00

    What does this CA policy look like?

    Did you meet all the pre reqs?

    Is attestation enabled?

    https://learn.microsoft.com/en-us/entra/identity/authentication/how-to-enable-passkey-fido2

    0 comments
  2. Batman 20 Reputation points
    2025-02-06T07:45:32.8766667+00:00

    Hi @Andy David - MVP Below is CA policy which I've created for test and yes Enforce attestation is enabled.

    User's image

    User's image

    User's image

    Still not able to passkey from the user side while login but at the same side user is able to to enroll for passkey via https://mysignins.microsoft.com/security-info

    0 comments
  3. Janaki Kota 790 Reputation points Microsoft External Staff
    2025-02-06T13:41:41.59+00:00

    Hello @Vaibhav Srivastava Admin,

    Thank you for reaching out to Microsoft Q&A. 

    We understand that you are experiencing the below error when you are trying to register Passkeys: "Passkey not registered. We were unable to register the passkey you attempted to add. Please Try again." 

    Hope the suggestions by @Andy David - MVP worked for you.

    In addition to that could you please change Enforce Attestation = No and check if you are able to register the passkeys. 

    User's image

    There are few other scenarios where this error may occur: If the used provider is not Microsoft Authenticator or Windows hello as Microsoft Entra ID currently supports device-bound passkeys stored on FIDO2 security keys and in Microsoft Authenticator.

    Hope this helps. Do let us know if you any further queries.

    Thanks & Best Regards

    Janaki Kota

    0 comments
  4. Andy David - MVP 153.7K Reputation points MVP
    2025-02-06T19:56:43.97+00:00

    Thats by design!

    You have to enroll passkeys via the security info menu, not when logging on to Azure resources.

    Thats why users should already have a MFA method enrolled, then they can add a passwordless/phish resistant method after that.

    User's image

    https://learn.microsoft.com/en-us/entra/identity/authentication/how-to-register-passkey-with-security-key#first-time-registration

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.