- Article
Microsoft Entra ID allows FIDO2 security keys to be used as a passwordless device. The availability of FIDO2 authentication for Microsoft accounts was announced in 2018, and it became generally available in March 2021. This topic covers which browsers, native apps, and operating systems support passwordless authentication using FIDO2 security keys with Microsoft Entra ID. Microsoft Entra ID currently supports only hardware FIDO2 keys and doesn't support passkeys for any platform.
Native app support (preview)
Microsoft applications provide native support for FIDO2 authentication in preview for all users who have an authentication broker installed for their operating system. The following tables lists which authentication brokers are supported for different operating systems.
| Operating system | Authentication broker | Supports FIDO2 |
|---|---|---|
| iOS | Microsoft Authenticator | ✅ |
| macOS | Microsoft Intune Company Portal 1 | ✅ |
| Android2 | Authenticator or Company Portal | ❌ |
1On macOS, the Microsoft Enterprise SSO plug-in is required to enable Company Portal as an authentication broker. Devices that run macOS must meet SSO plug-in requirements, including enrollment in mobile device management. For FIDO2 authentication, make sure that you run the latest version of native applications.
2Native app support for FIDO2 on Android is in development.
If a user installed an authentication broker, they can choose to sign in with a security key when they access an application such as Outlook. They're redirected to sign in with FIDO2, and redirected back to Outlook as a signed in user after successful authentication.
If the user hasn't installed an authentication broker, they can still sign in with a security key when they access MSAL-enabled applications that meet the requirements as listed in Support for FIDO2 authentication.
Note
FIDO2 authentication for Microsoft applications without an authentication broker isn’t available yet.
Browser support
This table shows browser support for authenticating Microsoft Entra ID and Microsoft accounts by using FIDO2. Microsoft accounts are created by consumers for services such as Xbox, Skype, or Outlook.com.
| OS | Chrome | Edge | Firefox | Safari |
|---|---|---|---|---|
| Windows | ✅ | ✅ | ✅ | N/A |
| macOS | ✅ | ✅ | ✅ | ✅ |
| ChromeOS | ✅ | N/A | N/A | N/A |
| Linux | ✅ | ❌ | ❌ | N/A |
| iOS | ✅ | ✅ | ✅ | ✅ |
| Android | ❌ | ❌ | ❌ | N/A |
Browser support for each platform
The following tables show which transports are supported for each platform. Supported device types include USB, near-field communication (NFC), and bluetooth low energy (BLE).
Windows
| Browser | USB | NFC | BLE |
|---|---|---|---|
| Edge | ✅ | ✅ | ✅ |
| Chrome | ✅ | ✅ | ✅ |
| Firefox | ✅ | ✅ | ✅ |
macOS
| Browser | USB | NFC1 | BLE1 |
|---|---|---|---|
| Edge | ✅ | N/A | N/A |
| Chrome | ✅ | N/A | N/A |
| Firefox2 | ✅ | N/A | N/A |
| Safari2 | ✅ | N/A | N/A |
1NFC and BLE security keys aren't supported on macOS by Apple.
2New security key registration doesn't work on these macOS browsers because they don't prompt to set up biometrics or PIN.
ChromeOS
| Browser1 | USB | NFC | BLE |
|---|---|---|---|
| Chrome | ✅ | ❌ | ❌ |
1Security key registration isn't supported on ChromeOS or Chrome browser.
Linux
| Browser | USB | NFC | BLE |
|---|---|---|---|
| Edge | ❌ | ❌ | ❌ |
| Chrome | ✅ | ❌ | ❌ |
| Firefox | ❌ | ❌ | ❌ |
iOS
| Browser1 | Lightning | NFC | BLE2 |
|---|---|---|---|
| Edge | ✅ | ✅ | N/A |
| Chrome | ✅ | ✅ | N/A |
| Firefox | ✅ | ✅ | N/A |
| Safari | ✅ | ✅ | N/A |
1New security key registration doesn't work on iOS browsers because they don't prompt to set up biometrics or PIN.
2BLE security keys aren't supported on iOS by Apple.
Android
| Browser1 | USB | NFC | BLE |
|---|---|---|---|
| Edge | ❌ | ❌ | ❌ |
| Chrome | ❌ | ❌ | ❌ |
| Firefox | ❌ | ❌ | ❌ |
1Security key biometrics or PIN for user verification are currently supported on Android by Google. Microsoft Entra ID requires user verification for all FIDO2 authentications.
Minimum browser version
The following are the minimum browser version requirements.
| Browser | Minimum version |
|---|---|
| Chrome | 76 |
| Edge | Windows 10 version 19031 |
| Firefox | 66 |
1All versions of the new Chromium-based Microsoft Edge support FIDO2. Support on Microsoft Edge legacy was added in 1903.
Known issues
Mobile device might be prioritized over security key
If you're using Chrome or Edge, the browser might prioritize usage of a passkey that's stored on a mobile device over a passkey that's stored on a security key.
Beginning with Windows 11 version 23H2, the operating system shows the following prompt during sign-in. Below More choices, choose Security key and click Next.
On earlier versions of Windows, the browser may show the QR pairing screen to continue with using a passkey that's stored on a mobile device. To use a passkey that's stored on a security key instead, insert your security key and touch it to continue.
PowerShell support
Microsoft Graph PowerShell supports FIDO2. Some PowerShell modules that use Internet Explorer instead of Edge aren't capable of performing FIDO2 authentication. For example, PowerShell modules for SharePoint Online or Teams, or any PowerShell scripts that require admin credentials, don't prompt for FIDO2.
As a workaround, most vendors can put certificates on the FIDO2 security keys. Certificate-based authentication (CBA) works in all browsers. If you can enable CBA for those admin accounts, you can require CBA instead of FIDO2 in the interim.
Next steps
Enable passwordless security key sign-in
