Contact Us

How To Use YubiKeys for Azure CBA and FIDO2 in Entra ID

How to enable passwordless authentication in Azure AD and Entra ID with FIDO2 and Azure CBA using Yubikeys
07 Sep 2023

Getting Started with Passwordless Authentication in Entra ID

If you are reading this article, it is because you have been assigned to help your organization go passwordless and have heard all the benefits of going passwordless using YubiKeys for Azure CBA and Azure AD FIDO2 authentication, and I probably don’t have to tell you about the security and user experience benefits of going passwordless. But while it is very easy once you have onboarded the users, the question still remains: How do I get started with YubiKey onboarding for passwordless authentication? In this blog we will help you get started with that process.

Do I Need FIDO2 and Azure CBA (Certificate Based Authentication)?

First, if you are looking at passwordless authentication using YubiKeys, you must know the difference between FIDO2 and Azure CBA and whether you need both or if one is good enough.

Is FIDO2 Enough for Azure?

FIDO2 is the one you hear the most about because it is the newest passwordless authentication method; however, since it is the newest authentication method, that means that it is still not supported everywhere. For example, iOS applications do not support FIDO2 authentication, and while FIDO2 can be used for on-premises authentication, it is still not native or reliable as smartcard authentication.

Is Azure CBA Enough for Passwordless Authentication?

Unlike FIDO2, smartcard authentication and Azure CBA are supported everywhere. The reason why it is not more popular is because it requires a longer setup; however, with passwordless onboarding tools such as EZCMS and our Azure based Certificate Authority, you can have a self-service onboarding solution in less than an hour (my personal record is helping a customer set everything up in less than 17 minutes, if you are up for the challenge schedule a call with me and let’s see if we can beat that record). While smartcard authentication is enough for passwordless authentication in Azure, if you already have a YubiKey and EZCMS you might as well also enable FIDO2 onboarding since you already have all the tools needed, giving your users the ability to use both passwordless authentication methods.

How to Setup Azure CBA in Azure

Below you can see a quick video on how to set up Azure CBA in Azure, but if you prefer written documentation you must follow these steps:
1) Create your root Certificate Authority
2) Create your smartcard Certificate Authority
3) Add the Certificates to Azure CBA

Once we have set up Azure CBA, we are ready to issue smartcards and start our passwordless authentication journey.

How to Enable FIDO2 in Azure

As mentioned above, since we are already using YubiKeys for Azure CBA, we might as well enable FIDO2. Below is a quick video that guides you through the setup of Azure FIDO2 and how you can self-service create your own FIDO2 token; however, if you do not want your users to know their TAP and you want to set a PIN policy, we can enable it in EZCMS so the FIDO2 key is created with the smartcard certificate.

How to Enable Self-Service Onboarding for FIDO2 and Azure CBA

Now that we have enabled Azure CBA (Certificate Based Authentication) and FIDO2 in Azure AD (Entra ID), we now have to set a way for our users to create their own smartcard certificates and FIDO2 keys for their YubiKeys.

1) First, we have to create our EZCMS instance.

2) Once it is created, we have to register your tenant in EZCMS (this is where you would also enable FIDO2, for this you will have to set up TAP in your tenant (don’t worry – your users will never see the TAP).

3) Once your tenant is connected, set yourself as an HR administrator and add yourself to the HR database.

4) Now you are ready to experience the user experience that your users will experience. Request a YubiKey and then use your administrator account to assign the YubiKey to yourself.

5) Once the SmartCard is assigned, you can request your Certificate and FIDO2 key either by scanning your government ID (premium plan only) or using an existing AAD identity.

Start YubiKey Rollout Through Your Organization

Now that you have setup the tools, you can start the YubiKey rollout to the rest of your organization. EZCMS can help you with the distribution but we also understand that you might want to offload the whole logistics to us; if that is the case, schedule a demo and ask us about our managed YubiKey distribution service.

You Might Also Want to Read