Entra

How To Get There From Here: Monitor Passkey and Phishing-resistant MFA User Adoption with PowerShell

by

Introduction

In the first episode of How To Get There From Here 🎙️, we talked with Michael Mardahl about passkeys and phishing-resistant MFA in Microsoft Entra ID. In the previous post, we implemented break glass accounts with passkey (FIDO2) authentication.

This post covers the next practical step: Monitoring passkey adoption across your organization.

Microsoft Entra ID provides authentication method reports in the portal, but tracking passkey adoption at scale isn’t straightforward. While you can view individual user registration details, identifying users who haven’t enrolled passkeys requires manual work – exporting data, filtering through lists, and piecing together adoption statistics across your organization.

This post shares a PowerShell script that queries Microsoft Graph API to check authentication method enrollment at scale. The script can track Microsoft AuthenticatorPasskey (FIDO2), or both methods across all users or specific groups. It generates adoption statistics and identifies users who haven’t enrolled the required methods.

Yet again, we’ll show you How To Get There From Here. 🔒

Read more…

How To Get There From Here: Break Glass Account With Phishing-resistant MFA in Entra ID

by

Introduction

In the first episode of How To Get There From Here 🎙️, we talked with Michael Mardahl about passkeys in Microsoft Entra ID – what they are, how they work, and how to get started with phishing-resistant and passwordless authentication.

As Conditional Access policies become more complex and phishing-resistant authentication becomes a requirement, break glass accounts need to be configured correctly. An improperly configured emergency access account won’t help during an actual lockout scenario.

This post documents how to set up a break glass account with passkey (FIDO2) authentication from scratch. Microsoft recommends phishing-resistant MFA for emergency access accounts, and we’ll walk through the complete implementation in our own tenant.

Each step is covered, including TAP configuration, passkey registration, SSPR handling, and Conditional Access exclusions. The process follows Microsoft’s official guidance while showing the practical details you’ll encounter when building this yourself.

This walkthrough is a collaboration between Martin Bengtsson and Christian Frohn, documenting the implementation in our tenant.

So when your Conditional Access policies say “you can’t get there from here,” we’ll show you How To Get There From Here.  🔒

Read more…