I am looking to use the OnlyKey as a security key in M365/Azure. After allowing the Onlykey to the tenant with the AAGUID 79d699df-0191-410-b903-5467e7ce823 (enabling Enforcing Attestation, key restrictions, and restricting specific keys to a group which includes a test user. I attempt to assign the key to the test user at htts//mysignins.microsoft.com, resulting with a dialog box “We detected that this particular key type has been blocked by your organization”. Am I missing a step here? The manual looks so straightforward.
Microsoft does not support all FIDO2 devices, only the “Microsoft approved” ones. This is the AAGUID for the old FIDO2 non-certified OnlyKey. Can you add the following AAGUID and see if this works - 998f358b-2dd2-4cbe-a43a-e8107438dfb3
Thank you for your input!!! I really appreciate any insight.
Unfortunately the AAGUID you offered still resulted with “We detected that this particular key type has been blocked by your organization. Contact your administrator for more details and try registering a different type of key”.
Am I pushing the envelope of the OnlyKey? Do OnlyKey users tend to use a Yubikey or another MS approved security key for this purpose?
Thank you!
Currently, Microsoft only allows the keys on their list if the the option Enforce attestation is enabled. Disabling this option will allow all FIDO2 security keys including OnlyKey to work properly. Have you tried disabling this option?
Has there been any indication as to why OnlyKey doesn’t go through the Microsoft approval process. It sounds like that process is supposed to be pretty straight forward and I would think that it would benefit their customers more not having the additional security risk that comes from disabling the attestation check.