Use FIDO2 for Admins

Microsoft published a public preview of Entra ID FIDO2 provisioning APIs on Aug. 7, 2024 to allow administrators to onboard security keys on users’ behalf instead of relying on individual self-registration. (techcommunity.microsoft.com) Microsoft Entra ID supports creating a custom “Passkeys (FIDO2) only” authentication strength and applying it to Microsoft admin portals via the Authentication methods blade, enabling enforcement of hardware-key‑only sign‑ins for elevated accounts. (plexhosted.com; learn.microsoft.com) Microsoft Entra Privileged Identity Management (PIM) provides just‑in‑time, time‑bounded role activation with configurable activation durations, approval workflows, and MFA requirements to limit how long administrative privileges are active. (learn.microsoft.com) A recent operational incident reported on Mar. 15, 2026 described an attacker using a compromised admin account to remotely wipe roughly 200,000 devices, illustrating the downstream impact of unprotected privileged credentials. (lumos.com) Microsoft’s documentation warns that FIDO2 is recommended for elevated privileges but that key loss and account recovery increase support overhead, while large-scale deployments have used centralized SSO and device provisioning to scale adoption. (learn.microsoft.com; cisa.gov) Onboarding and recovery paths for FIDO2 can use Temporary Access Pass (TAP) or the Entra FIDO2 provisioning APIs to issue keys and handle lost-key scenarios during enrollment, a pattern documented by Microsoft and deployment guides. (techcommunity.microsoft.com; agderinthe.cloud) Security researchers disclosed a downgrade attack in August 2025 that can bypass FIDO protections in some Microsoft Entra flows, and academic analyses have highlighted local‑attack and usability considerations for FIDO2, prompting recommendations to combine FIDO2 enforcement with Conditional Access and hardened recovery procedures. (bleepingcomputer.com; ndss-symposium.org)