How To Manage Passkey and Smart Card Settings for Entra ID

The EZCMS setting page is your home to manage all things related to your subscription. From types of smart cards/FIDO2 Tokens you offer, to security settings such as pin complexity and card assignment requirements to RBAC for token administrators.

How to Set Instance Administrators

Instance administrators are the equivalent of global administrators of the application, this permission will allow the user to manage any setting of EZCMS as well as give themselves permission to execute any action in the portal.

This is a highly privileged role and should be limited to a handful of people in the organization. We recommend using something like Microsoft PIM Groups to manage these users.

  1. To manage instance administrators go to your EZCMS instance and click settings. Settings Menu
  2. Add or remove users and groups. Settings Set Passwordless Administrators for Entra ID
  3. Click “Save Changes” Settings Admin Save

How To Manage Smart Card and FIDO2 Assignment for Entra ID

EZCMS supports 3 smart card/FIDO2 assignment choices: Smart card is provided by the organization and specifically assigned to a user (recommended), smart card is registered by the organization but not assigned to the user, or users can buy their own smart card and use it for work (not recommended).

To set the smart card policy for your organization, follow these steps:

  1. Go to your EZCMS instance and click settings. Settings Menu
  2. Select your desired requirements.

    If “smart card must be assigned” is selected, a group of smart card administrators will have to be added. These users will be able to assign smart cards/FIDO2 Keys to users in your organization.

    How To assign smart cards and FIDO2 Keys For Entra ID
  3. Click “Save Changes” Save Smartcard/FIDO2 Key Administrators for your Entra ID Tenant

How To Manage Smart Card/FIDO2 Settings for your Entra ID Tenant

EZCMS allows you to set organization wide smart card settings, such as number of smart cards per user, if using a yubikey or a FEITIAN FIDO2 + PIV Key it allows you to set the touch and pin policy, pin retries, pin requirements, and blacklisted pins. To set these settings, follow these steps:

  1. Go to your EZCMS instance and click settings. Settings Menu
  2. Select your desired requirements. How to set FIDO2 and Smartcard pin requirements in Entra ID
  3. If Administrator PUK (Pin Unblocking Retrieval) is enabled (This is used to allow administrators to recover the user’s pin if the user forgets the pin), then a group of administrators with PUK access must be set. How to set Smartcard PUK requirements in Entra ID
  4. Click “Save Changes” How To change PIN and PUK requirements for Entra ID Phishing resistant credentials

How To Manage FIDO2 Smart Card Distribution For Entra ID Worldwide Shipping

EZCMS allows you to set organization wide smart card/FIDO2 key distribution methods, if you would like to have your team ship the cards to your users EZCMS will give you a portal and ticketing system to ship the Keys world wide. If you would like to have EZCMS ship the cards to your users, we have a key purchase and distribution service allowing you to offload the hardware key distribution to our logistics experts. To set these settings, follow these steps:

  1. Go to your EZCMS instance and click settings. Settings Menu
  2. Scroll down to the “Distribution Method” section. How to enable smart card and Yubikey distribution for worldwide shipping
  3. In here you will have the option of “Self” or “Keytos managed”.
    • Self: This option will allow your IT desk to add the keys to your inventory and to ship the cards to your users.
    • Keytos managed: (To enable this option you must talk to the Keytos team before hand) This option will allow you to have Keytos ship the cards to your users. This option has Keytos manage your inventory, shipping and other logistics required to ship the cards world wide. For our USA based customers, we also offer smartcard printing and personalization services.