Close Menu
Peter Klapwijk – In The Cloud 24-7Peter Klapwijk – In The Cloud 24-7
    Facebook X (Twitter) Instagram
    Peter Klapwijk – In The Cloud 24-7Peter Klapwijk – In The Cloud 24-7
    • Home
    • Intune
    • Windows
      • Modern Workplace
    • macOS
    • Android
    • iOS
    • Automation
      • Logic Apps
      • Intune Monitoring
      • GitHub
    • Security
      • Passwordless
      • Security
    • Speaking
    • About me
    Peter Klapwijk – In The Cloud 24-7Peter Klapwijk – In The Cloud 24-7
    Home»macOS»Secure multiple accounts with a FIDO2 security key
    macOS

    Secure multiple accounts with a FIDO2 security key

    Peter KlapwijkBy Peter KlapwijkAugust 25, 2021Updated:August 26, 20215 Mins Read

    Today a short article to make people aware that a FIDO2 security key isn’t tied to one Azure AD/ Office 365 account. We don’t have to purchase a separate key for every Azure tenant we access. Fortunately, we can use a key for multiple accounts!

    Some people might have access to multiple Office 365 accounts. IT staff who work for a service provider might have a long list of admin accounts with passwords to access the client’s tenants. People with a production and dev tenant (like me). To keep everything secure, for every tenant a separate password is used. That’s a hell of a job to keep these passwords separate and to remember. Passwords are often forgotten for tenants which are not accessed regularly.

    When we enable security key sign-in for these tenants (even if we only do that to start with for these IT admin accounts), we can stop using all these user accounts and passwords and go passwordless.

    Then it’s only a matter of inserting the FIDO key and choose the account to sign in to. No need to remember a username and password.

    One caveat:
    If you enroll multiple identities with a FIDO2 token, it will allow you to pick which identity to use when doing web authentication. If you take the same token and use it to log on to a Windows 10 PC, it does not give you an option of which identity to use. It will automatically use the last registered FIDO2 identity on the token.
    Source

    So that was a very short article 🙂

    For the people who aren’t yet familiar with going passwordless with FIDO2 security keys, below is some more information regarding going passwordless. And you’ll find the steps to enable security keys in Azure AD.

    FIDO2

    FIDO stands for Fast Identity Online, an open standard to sign-in safely to SaaS apps and computers. The goal of FIDO is to make the sign-in process more secure and simplified. This is accomplished by sign-in without using a username and password; passwordless.

    How it works in short with an example. FIDO2 makes use of a public/ private key pair for authentication. The public key is provided to the identity provider (in this case Azure AD) and the private key remains on the device (the FIDO2 security key).
    When the user needs to authenticate to Azure AD (AAD) for sign-in to the Windows 10 device or sign-in to Office 365 via a browser, AAD provides the user a challenge. With the challenge, AAD wants to determine if the user is who he claims to be. The challenge is signed with the private key (which is stored on the FIDO2 key) and the result of that signature is send back to AAD. AAD can then verify the signature with your public key and allow logon.

    Prerequisites

    To go passwordless we have some prerequisites:

    • Azure Multi-Factor Authentication
    • Combined security information registration
    • Compatible FIDO2 security key
    • WebAuthn compatible browser like Microsoft Edge

    Which browsers support WebAuthn can be found on the FIDO website.

    Configure Azure for passwordless sign-in

    The user needs to be enabled for multi-factor authentication. In the Azure portal, we also need to enable combined security information registration besides enabling security keys.

    • Sign-in to the Azure AD portal
    • Browse to Azure Active Directory – User settings
    • Click Manage user feature settings
    • Select All to switch on the feature for all users (or Selected for a security group)
    • Click Save
    • Browse to Security – Authentication methods
    • Click on FIDO2 security keys
    • Set Enable to Yes
    • Leave Target set to All or switch to Select users and select a security group
    • Click Save

    That’s all to enable passwordless sign-in for Azure AD accounts.

    End-user experience – configure the key

    Here is an overview of how to set up and register the FIDO key.

    If we have a brand new security key, it first needs to be set up. When using a Windows device, the key can be set up directly from the Settings.

    Insert the key in the device and set up the key, which is pretty straightforward.

    Below is a short video of the key setup in Windows.

    Next, the key needs to be registered in every Azure AD account. For this, sign in to https://aka.ms/mysecurityinfo

    Click Add method to add a new security key.

    Choose Security key from the drop-down list and click Add.

    Choose the type of the security key.

    Follow the other on-screen instructions to set up the key.

    When that’s finished, the key shows up under the sign-in methods.

    And a short video of the registration of the key.

    Repeat these registration steps for all Azure AD accounts.

    End-user experience – using the key

    Next time that we sign in to our AAD account, we just choose Sign-in options on the sign-in page.

    Choose Sign in with Windows Hello or a security key.

    Choose Security key.

    Insert the key (when not already done).

    Touch the key.

    And select the account we want to sign in to.

    And sign-in is completed, without entering a username or password!

    The sign-in experience in a video.

    That’s it for this post.

    If you’re interested in reading more FIDO2 related posts, have a look at the FIDO2 section.

    Azure AD FIDO2 macOS Microsoft 365 Office 365 Passwordless Security Windows
    Share. Facebook Twitter LinkedIn Email WhatsApp
    Peter Klapwijk
    • Website
    • X (Twitter)
    • LinkedIn

    Peter is a Security (Intune) MVP since 2020 and is working as Modern Workplace Engineer at Wortell in The Netherlands. He has more than 15 years of experience in IT, with a strong focus on Microsoft technologies like Microsoft Intune, Windows, and (low-code) automation.

    Related Posts

    Passwordless sign in to Office 365 on macOS

    July 9, 2021

    My first experience with Temporary Access Pass during Windows Autopilot enrollment

    February 26, 2021

    Add Security key option is missing from the Security info page

    November 20, 2020
    Add A Comment
    Leave A Reply Cancel Reply

    Peter Klapwijk

    Hi! Welcome to my blog post.
    I hope you enjoy reading my articles.

    Hit the About Me button to get in contact with me or leave a comment.

    Awards
    Sponsor
    Latest Posts

    Hide the “Turn on an ad privacy feature” pop-up in Chrome with Microsoft Intune

    April 19, 2025

    How to set Google as default search provider with Microsoft Intune

    April 18, 2025

    Using Windows Autopilot device preparation with Windows 365 Frontline shared cloud PCs

    April 13, 2025

    Using Visual Studio with Microsoft Endpoint Privilege Management, some notes

    April 8, 2025
    follow me
    • Twitter 4.8K
    • LinkedIn 6.1K
    • YouTube
    Tags
    Administrative Templates Android Automation Autopilot Azure Azure AD Browser Conditional Access Edge EMS Exchange Online Feitian FIDO2 Flow Google Chrome Graph Graph API Identity Management Intune Intune Monitoring iOS KIOSK Logic Apps macOS MEM MEMMonitoring Microsoft 365 Microsoft Edge Microsoft Endpoint Manager Modern Workplace Office 365 OneDrive for Business Outlook Passwordless PowerApps Power Automate Security SharePoint Online Teams Windows Windows 10 Windows10 Windows 11 Windows Autopilot Windows Update
    Copy right

    This information is provided “AS IS” with no warranties, confers no rights and is not supported by the authors, or In The Cloud 24-7.

     

    Copyright © 2025 by In The Cloud 24-7/ Peter Klapwijk. All rights reserved, No part of the information on this web site may be reproduced or posted in any form or by any means without the prior written permission of the publisher.

    Shorthand; Don’t pass off my work as yours, it’s not nice.

    Recent Comments
    • Peter Klapwijk on Using Windows Autopilot device preparation with Windows 365 Frontline shared cloud PCs
    • John M on Using Windows Autopilot device preparation with Windows 365 Frontline shared cloud PCs
    • Christoffer Jakobsen on Connect to Azure file shares with Microsoft Entra Private Access
    • Ludo on How to block Bluetooth file transfer with Microsoft Intune
    • RCharles on Automatically configure the time zone (during Autopilot enrollment)
    most popular

    Application installation issues; Download pending

    October 1, 2024

    Restrict which users can logon into a Windows 10 device with Microsoft Intune

    April 11, 2020

    How to change the Windows 11 language with Intune

    November 11, 2022

    Update Microsoft Edge during Windows Autopilot enrollments

    July 9, 2024
    Peter Klapwijk – In The Cloud 24-7
    X (Twitter) LinkedIn YouTube RSS
    © 2025 ThemeSphere. Designed by ThemeSphere.

    Type above and press Enter to search. Press Esc to cancel.

    Manage Cookie Consent
    To provide the best experiences, we use technologies like cookies to store and/or access device information. Consenting to these technologies will allow us to process data such as browsing behavior or unique IDs on this site. Not consenting or withdrawing consent, may adversely affect certain features and functions.
    Functional Always active
    The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
    Preferences
    The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
    Statistics
    The technical storage or access that is used exclusively for statistical purposes. The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
    Marketing
    The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.
    Manage options Manage services Manage {vendor_count} vendors Read more about these purposes
    View preferences
    {title} {title} {title}