Skip to main content

Authentication Method - FIDO2 security key - Restrict specific keys

Defines if list of AADGUID will be used to allow or block registration.

NamekeyRestrictions.enforcementType
ControlAuthentication Method - FIDO2 security key
DescriptionDefine configuration settings and users or groups that are enabled to use FIDO2 security keys
SeverityHigh

How to fix

Microsoft Learn - Enable passkeys (FIDO2) for your organization: Restrict specific keys

Details of configuration item

RecommendationYou should use Block or Allow as value to allow- or blocklisting of AAGuids.
Configurationpolicies/authenticationMethodsPolicy/authenticationMethodConfigurations('Fido2')
SettingkeyRestrictions.aaGuids -notcontains $null -and ($result.keyRestrictions.enforcementType -eq 'allow' -or $result.keyRestrictions.enforcementType -eq 'block')
Recommended Value'true'
Default Valuefalse
Graph API Docsfido2AuthenticationMethodConfiguration resource type - Microsoft Graph v1.0 - Microsoft Learn
Graph ExplorerOpen in Graph Explorer