How to Self-Enroll Yubikeys and FIDO2 Keys for Entra CBA Using Verifiable Credentials

Introduction - How to Self-Enroll Smartcards and FIDO2 Keys for Entra CBA Using Government ID EZCMS

If you are creating your phishing resistant identity for the first time or you are locked out of your Entra ID (Microsoft 365) credential, depending on the settings of your organization you might be able to onboard your FIDO2 or Entra CBA token using a government ID. This requires you to have your hardware key or smartcard, if you do not have one request one.

How To Onboard Phishing Resistant FIDO2 and Entra CBA with Government ID Verification

  1. Open the EZCMS Tool.
  2. Navigate to “Request Identity”.
  3. Select “SSO Login” and click Next. How To Onboard YubiKey with Verifiable credentials
  4. Enter your corporate email and click “Next”. Enter your corporate email for Yubikey Enrollment
  5. Scan the QR code with your phone. Scan the QR code with your phone for Yubikey Enrollment
  6. Follow the instructions on scanning your face and your Government ID.
  7. Once you finish your ID Validation on the phone, click the “Next” Button. Finished Phone Validation for Entra CBA and Entra ID FIDO2
  8. Connect the hardware key or smartcard to your computer.
  9. Select the domain and account you want to create an identity for. Select Domain for Entra CBA Certificate creation
  10. Select the Hardware key you want to use. How To create certificate for Yubikey for Entra CBA
  11. Enter your PIN (If this is the first time it will ask you to confirm your PIN).
  12. Click “Next” Request a Yubikey Certificate for Entra CBA and FIDO2
  13. Follow the instructions on the screen (If it freezes, it might be waiting for input on your YubiKey, look at the YubiKey to see if it is flashing slowly, if it is, press the copper part).
  14. Your Key is now read to use!