Provisioning Passkeys on Behalf of Users - Technical Guide

Introduction

This technical guide provides detailed information on using the Crayonic Credential Manager to provision passkeys on behalf of users in any Entra ID tenant. This capability allows administrators to streamline the deployment of passwordless authentication by creating passkeys for users without requiring their direct involvement.

Key Benefits

Simplified Deployment: Provision passkeys for multiple users from a central location
Reduced User Training: Minimize the need for user training on passkey creation
Consistent Configuration: Ensure passkeys are created with the correct settings
Flexible Deployment: Works with any Entra ID tenant, not just Crayonic's tenant

Prerequisites

Technical Requirements

Windows 10 (1903 or later) or Windows 11
.NET Framework 4.8 or later
Crayonic Credential Manager application installed
Internet connection for Entra ID authentication
FIDO2-compatible security key(s)

Administrative Requirements

Entra ID tenant
Account with one of the following roles:
Global Administrator
Authentication Administrator
Privileged Authentication Administrator
Appropriate Microsoft Graph API permissions:
User.Read
User.ReadBasic.All
UserAuthenticationMethod.ReadWrite.All

Security Key Requirements

FIDO2-compatible security key
Support for resident keys (client-side discoverable credentials)
Support for user verification (if required by your security policies)

Understanding the Provisioning Process

How Passkey Provisioning Works

When provisioning passkeys on behalf of users, it's important to understand the underlying process:

Authentication: The administrator authenticates to Entra ID with appropriate permissions
User Selection: The administrator selects the user to provision a passkey for
Passkey Creation: The application initiates the passkey creation process
Security Key Interaction: The security key generates a new credential
Registration: The credential is registered in Entra ID for the selected user
Verification: The application verifies the passkey was successfully created

Technical Flow

The technical flow involves several API calls:

Microsoft Graph API to find and select users
Microsoft Graph API to initiate passkey registration
Windows WebAuthn API for local security key interaction
Microsoft Graph API to complete the registration process

Relying Party Considerations

Passkeys are bound to specific Relying Parties (RPs). For Entra ID applications:

Use login.microsoft.com as the RP ID for web applications
This ensures the passkey will work with Microsoft 365, Azure Portal, and other Entra ID-integrated web applications

Tenant Configuration

Working with Any Tenant

The Crayonic Credential Manager is designed to work with any Entra ID tenant:

The tenant ID is automatically detected during authentication
All passkey operations are performed in the context of the authenticated tenant
You can switch between tenants by authenticating with different accounts

Multi-Tenant Considerations

If you manage multiple tenants:

Ensure you're authenticated to the correct tenant before provisioning passkeys
Consider using different security keys for different tenants to avoid confusion
Document which passkeys are provisioned in which tenant

Authentication and Permissions

Required Permissions

To provision passkeys on behalf of users, you need:

Entra ID Role: One of the following:
Global Administrator
Authentication Administrator
Privileged Authentication Administrator
Microsoft Graph API Permissions:
User.Read
User.ReadBasic.All
UserAuthenticationMethod.ReadWrite.All

Authentication Methods

The application supports two authentication methods:

Interactive Authentication:
Click "Authenticate with Passkey"
Complete the Microsoft authentication flow
Suitable for ad-hoc provisioning
Non-Interactive Authentication:
Configure environment variables with tenant ID, client ID, and client secret
Application authenticates automatically on startup
Suitable for automated provisioning scenarios

Setting Up Non-Interactive Authentication

For automated scenarios, set the following environment variables:

$env:ENTRA_TENANT_ID = "your-tenant-id"
$env:ENTRA_CLIENT_ID = "your-client-id"
$env:ENTRA_CLIENT_SECRET = "your-client-secret"

You'll need to register an application in Entra ID and grant it the appropriate permissions.

Step-by-Step Provisioning Guide

Preparing for Provisioning

Gather User Information:
User Principal Names (UPNs) of users who need passkeys
Ensure users exist in your Entra ID tenant
Prepare Security Keys:
Ensure security keys are reset or in a state ready for new registrations
Have multiple security keys available if provisioning for multiple users
Launch the Application:
Start Crayonic Credential Manager
Authenticate with an account that has appropriate permissions

Provisioning a Single Passkey

Authenticate to Entra ID:
Click "Authenticate with Passkey"
Complete the authentication process
Verify successful authentication in the status area
Find the User:
Enter the user's UPN in the search field
Click "Search"
Select the user from the dropdown if multiple users are found
Create the Passkey:
Ensure the security key is connected to your computer
Select "login.microsoft.com" as the Relying Party
Click "Create Passkey"
Follow the prompts to interact with the security key
Wait for confirmation of successful registration
Verify the Passkey:
The new passkey should appear in the list of passkeys for the user
Note the credential ID for your records

Handling the Security Key

When interacting with the security key during provisioning:

Connect the security key to your computer
When prompted, touch the security key's sensor
If the security key has a PIN, you may need to enter it
Keep the security key connected until the process completes
Once complete, the security key can be safely removed

Bulk Provisioning

Preparing for Bulk Provisioning

For provisioning passkeys for multiple users:

Create a list of users (UPNs) who need passkeys
Ensure you have enough security keys available
Consider using a tracking system to manage which security key is assigned to which user

Bulk Provisioning Process

Follow the single provisioning steps for each user
Use a consistent naming convention for passkeys to simplify management
Document each provisioning action for audit purposes

Automation Considerations

For larger deployments, consider:

Using the non-interactive authentication method
Creating a PowerShell script to automate the process
Implementing a database to track passkey assignments

Troubleshooting

Common Issues and Solutions

Authentication Issues

Issue: "Insufficient permissions" error during authentication

Solution: Ensure your account has the necessary Entra ID roles and API permissions. Check that the application registration has the required permissions granted and consented.

User Search Issues

Issue: Cannot find user in directory

Solution: Verify the UPN is correct and the user exists in the current tenant. Check that your account has permissions to view user information.

Passkey Creation Issues

Issue: "The operation was canceled by the user" when creating a passkey

Solution: Ensure the security key is properly connected and responsive. Try disconnecting and reconnecting the key, or try a different USB port.

Issue: "We couldn't sign you in" error during passkey creation

Solution: This typically occurs due to a Relying Party (RP) mismatch. Ensure you're using "login.microsoft.com" as the RP for Entra ID applications.

Diagnostic Information

For troubleshooting, check the following log files:

Fido2UI_log.txt: General application logs
EntraIdAuth_log.txt: Authentication-related logs
PasskeyAuth_log.txt: Passkey operation logs

These files are located in the application's installation directory.

Best Practices

Security Considerations

Physical Security:
Maintain physical control of security keys during provisioning
Implement a secure handover process for giving keys to users
Documentation:
Document all provisioning actions for audit purposes
Record which security key is assigned to which user
User Education:
Provide users with information about their new passkey
Explain how to use the passkey for authentication

Operational Considerations

Testing:
Test the provisioning process in a non-production environment first
Verify passkeys work as expected before large-scale deployment
Backup and Recovery:
Consider provisioning multiple passkeys for critical users
Document recovery procedures for lost or damaged security keys
Monitoring:
Regularly audit passkey assignments
Monitor for unused or potentially compromised passkeys

Technical Reference

API Endpoints

The application uses the following Microsoft Graph API endpoints:

GET /users: To search for users
GET /users/{id}/authentication/fido2Methods: To list existing passkeys
POST /users/{id}/authentication/fido2Methods: To initiate passkey creation
DELETE /users/{id}/authentication/fido2Methods/{id}: To remove passkeys

WebAuthn Parameters

When creating passkeys, the following WebAuthn parameters are used:

Relying Party ID: "login.microsoft.com" for Entra ID applications
User Verification: Required (enforces PIN or biometric verification)
Attestation: None (attestation information is not collected)
Resident Key: Required (creates client-side discoverable credentials)

Error Codes

Common error codes and their meanings:

authentication_canceled: User canceled the operation
broker_account_not_found: Account selection issue
broker_error: Windows Authentication Manager (WAM) broker error
insufficient_permissions: Account lacks necessary permissions