How To Preload Smartcards and FIDO2 Keys for Entra CBA

Overview - How To Preload Smartcards and FIDO2 Keys for Entra CBA

For highly regulated industries, the PIV standard requires in person verification to create the smart card, this page explains how a smart card administrator can create smart cards for users. While this is how smartcards have been created in the past, if this is not a regulatory requirement, we recommend using the self-service smart card and FIDO2 creation for a more streamlined process.

Prerequisites to Preload Smartcards and FIDO2 Keys for Entra CBA

  1. Assign User SmartCard

How to Preload a Smartcard for Entra CBA

  1. Open your EZCMS client application.
  2. Login with an account that has the Smart Card creation role for this domain.
  3. Connect the Smart Card you want to preload.
  4. Go to the “Admin Bootstrap Security Tokens” page.
  5. Select the smart card/Yubikey you want to preload. How to preload a yubikey for Entra CBA Phishing resistance Authentication
  6. Since the key is already assigned to a user, EZCMS will give you the available identities for that user. Select the identity you want to preload. How to preload a yubikey for Entra CBA Phishing resistance Authentication
  7. Confirm that you want to factory reset the smart card and create the certificate. How to preload a yubikey for Entra CBA Phishing resistance Authentication
  8. Follow the instructions on the screen to create the smart card (this might require removing the key and touching it multiple times).
  9. Once the user receives the smart card, help them through the unblocking process by retrieving their PUK for them