Hey everyone! I'm looking for advice on provisioning FIDO2 with a YubiKey through the Microsoft Graph API. We have smartcard authentication set up, but we'd prefer FIDO2 as a secondary login method. Microsoft mentioned an admin GUI for provisioning FIDO2 keys is in the works, but the last update was almost a year ago. I attempted to use the API to streamline the provisioning process instead of doing it manually for each user in the 365 Account Settings, but I'm hitting a snag. When I try to make a GET request to the specified endpoint, I consistently get a "405 Method Not Allowed" response, even though it's documented as a GET method. It's become a frustrating hurdle, and I'd love to hear if anyone else has found a solution or workaround!
3 Answers
Just a quick heads-up from Microsoft: the FIDO2 registration API in Microsoft Entra ID is currently considered a privileged API. Right now, only the Microsoft Authenticator app can use this API directly for user registrations. Unfortunately, this means you can't use the API for provisioning FIDO2 keys in other apps or clients. The documentation might not reflect this yet, so keep that in mind as you plan your next steps.
From what I've seen, Microsoft is really pushing users toward the Microsoft Authenticator and Windows Hello for Business for authentication. There’s been a lot of requests for more flexible options in authentication setups, but sadly, not much response from Microsoft on that front. Regarding the 405 error you're getting, are you sure you're providing a valid bearer token?
Have you checked out the DSInternals.Passkeys PowerShell module? It might help you manage FIDO2 passkeys on behalf of your users, which could save you some hassle with manual registrations!
Related Questions
Can't Load PhpMyadmin On After Server Update
Redirect www to non-www in Apache Conf
How To Check If Your SSL Cert Is SHA 1
Windows TrackPad Gestures