Skip to content

Entra Integration

Step 1 - Enable FIDO2 in your Entra tenant

  1. Sign in to the Microsoft Entra admin center as at least an Authentication Policy Administrator.

  2. Browse to Entra ID > Authentication methods > Policies.

  3. Under the method Passkey (FIDO2), set the toggle to Enable. Select All users or Add groups to select specific groups. Only security groups are supported.

  4. On the Configure tab:

  5. Set Allow self-service set up to Yes. If set to No, users can't register a passkey by using Security info, even if passkeys (FIDO2) are enabled by the Authentication methods policy.

  6. Set attestation to No. Attestation can be enabled for Dapple passkeys, but we recommend contacting Dapple support before enabling to ensure that certain limitations with Entra attestation are properly managed, as they can result in a poor user experience in some environments.

  7. Set Enforce Key Restrictions to No. If you require restricting passkeys to a specific passkey provider, please contact Dapple support for the relevant AAGUID for your Dapple version.

For further reference: Enable FIDO2 in your Entra tenant

Step 2 - Enable synced passkey support in Entra

To ensure that Dapple passkeys work properly with Entra on Apple devices, we highly recommend enabling the Entra Public Preview feature for synced passkeys.

  1. Sign in to the Microsoft Entra admin center as at least an Authentication Policy Administrator.

  2. Browse to Entra ID > Security > Authentication methods > Policies.

  3. Select Passkey (FIDO2), and select Opt-in to public preview on the public preview banner to see the passkey profiles (preview). This will create a default passkey profile with your current passkey settings.

  4. To complete opting-in, select the "Edit default passkey profile" button.

  5. In the Target Types dropdown, select the "Synced (preview)" option. We recommend keeping Enforce Attestation and Target specific AAGUIDs disabled during testing and only enabling if they are required in your production environment.

For further reference: Passkey Profiles

Step 3 - Set up a passkey to log into Microsoft Entra

These instructions below are for setting up a passkey using the Dapple Windows client. Entra passkeys can be created on mobile devices as well with this process. Note that creating Entra passkeys on iOS will only work if synced passkey support is enabled in Entra.

Demo video of Creating Entra Passkey

  1. Navigate to the Security Info section of your Microsoft account.

  2. Click on the "+" sign to 'Add sign-in method'.

  3. Select 'Security Key'.

  4. Follow the prompts to re-authenticate using your existing login method.

  5. When the Security Key window comes up, select 'USB Device'. Though Dapple Authenticator is a software application, Windows treats it like a permanent USB device.

  6. Follow the prompts to begin passkey creation until you get to 'Choose where to save this passkey', and select 'Security Key' to ensure that your new passkey is saved in Dapple Authenticator.

  7. You will be prompted to 'Touch your security key' at which point you will need to verify your presence using Windows Hello (either via PIN or biometric).

  8. At this point your passkey will be saved and you will be given the option to name the security key. Enter a name such as "Dapple" to remind yourself in the future that this is where the passkey is saved.

Now that this passkey is created in your Windows device, it will also appear on any mobile devices where Dapple Authenticator is already set up, so you will now be able to log into your Microsoft account from any device.