I recently added a second YubiKey to an admin account as a backup, and while it showed up correctly in my Security Info, I'm having trouble when trying to use it for sign-ins. Each time I attempt to use the new YubiKey, it seems like the sign-in is successful at first, but then I'm interrupted with an error message that says: "Your sign-in was successful but this passkey does not meet the criteria set by your admin. Try signing in with your passkey on Microsoft Authenticator or a different passkey. Alternatively, contact your admin for help."
Checking the sign-in logs on Entra, I see an error code 1350161, stating that sign-in with this passkey is blocked by policy but that I have another Microsoft Authenticator passkey that's allowed. Interestingly, my original YubiKey works fine without a hitch. Could someone help me understand why this is happening?
1 Answer
It sounds like your new YubiKey might need a new AAGUID, which can cause these kinds of issues. There’s a known bug where the authentication service doesn’t update properly with these changes. The workaround is to disable passkeys for about 5 minutes, then re-enable them. This might fix the issue you’re facing.
I had the same issue, and after following that advice, my new YubiKey worked perfectly after a day!