Crayonic Credential Manager User Manual

Table of Contents

1. Introduction
2. Installation
3. Getting Started
4. Authentication with Entra ID
5. Managing Tenant Configurations
6. Tenant Configuration Wizard
7. Managing Multiple Tenants
8. Switching Between Tenants
9. Managing Passkeys
10. Viewing Existing Passkeys
11. Creating Passkeys
12. Removing Passkeys
13. Provisioning Passkeys on Behalf of Users
14. Troubleshooting
15. Advanced Configuration
16. Frequently Asked Questions
17. Technical Reference

Introduction

Crayonic Credential Manager is a powerful tool designed to help administrators manage passkeys for Entra ID (formerly Azure AD) users. With this application, you can:

• View existing passkeys for users
• Create new passkeys on behalf of users
• Remove passkeys that are no longer needed
• Manage passkeys across different Entra ID tenants

This tool is particularly useful for organizations that want to streamline their passwordless authentication deployment by allowing administrators to provision passkeys for users without requiring user intervention.

Installation

System Requirements

• Windows 10 (1903 or later) or Windows 11
• .NET Framework 4.8 or later
• Administrator privileges (for installation)
• Internet connection for Entra ID authentication
• Security key (FIDO2 compatible) for passkey operations

Installation Steps

1. Download the latest MSI installer from the official distribution channel
2. Run the installer and follow the on-screen instructions
3. The application will be installed to C:\Program Files\Crayonic Credential Manager by default
4. Shortcuts will be created in the Start Menu and on the Desktop

Silent Installation

For automated deployment, you can use the following command to install silently:

msiexec /i CrayonicCredentialManager-1.0.0.msi /quiet

Getting Started

Launching the Application

You can launch the application in two modes:

1. Standard Mode: Double-click the "Crayonic Credential Manager" shortcut
2. This mode provides a simplified interface focused on passkey management

3. Suitable for most administrative tasks

4. Admin Mode: Use the "Crayonic Credential Manager (Admin)" shortcut or run with the -Admin parameter

5. This mode provides access to additional configuration options
6. Useful for advanced settings and troubleshooting

User Interface Overview

The application has a simple, intuitive interface with the following main areas:

• Authentication Panel: Connect to Entra ID and manage authentication settings
• User Search: Find users in your Entra ID tenant
• Passkey Management: View, create, and remove passkeys for selected users
• Status Area: View operation status and error messages

Authentication with Entra ID

Prerequisites

Before you can manage passkeys, you need:

1. An Entra ID tenant
2. An account with appropriate permissions:
3. Global Administrator, or
4. Authentication Administrator, or
5. Privileged Authentication Administrator

Authentication Methods

The application supports two authentication methods:

1. Technical User Authentication:
2. Uses environment variables for non-interactive authentication
3. Suitable for automated scenarios

4. Requires setting up environment variables (see Advanced Configuration)

5. Passkey Authentication:

6. Interactive authentication using passkeys
7. Requires a user with appropriate permissions
8. Provides a seamless authentication experience

Authenticating with Passkey

1. Click the "Authenticate with Passkey" button
2. The Microsoft authentication dialog will appear
3. Follow the prompts to authenticate with your passkey
4. Once authenticated, you'll see a success message and your access token information

Tenant Configuration

The application works with any Entra ID tenant, not just Crayonic's tenant:

1. Your tenant ID is automatically detected during authentication
2. You can view the current tenant ID in the authentication panel
3. You can manage multiple tenant configurations in the Tenant Management tab

Managing Tenant Configurations

The Tenant Management feature allows you to configure and manage multiple Entra ID tenants within the application. This is particularly useful for:

• Administrators who manage multiple tenants
• Organizations with development, testing, and production environments
• Consultants who work with multiple client tenants

Tenant Configuration Wizard

The easiest way to set up a new tenant configuration is to use the Tenant Configuration Wizard:

1. Navigate to the "Tenant Management" tab in Admin mode
2. Click "Launch Configuration Wizard"
3. Follow the step-by-step instructions:
4. Step 1: Welcome screen with overview
5. Step 2: Enter tenant information (name and tenant ID)
6. Step 3: Enter authentication details (client ID and secret)
7. Step 4: Test the connection to verify settings
8. Step 5: Review and complete the configuration

The wizard will guide you through the process and ensure that your tenant configuration is properly set up.

Managing Multiple Tenants

The Tenant Management tab provides a comprehensive interface for managing your tenant configurations:

• View Configurations: See all your configured tenants in a list
• Add Configuration: Manually add a new tenant configuration
• Edit Configuration: Modify an existing tenant configuration
• Delete Configuration: Remove a tenant configuration you no longer need
• Set Default: Designate a tenant as the default for automatic activation on startup

Each tenant configuration includes:

• Name: A friendly name for the tenant
• Tenant ID: The Entra ID tenant ID or name (e.g., contoso.onmicrosoft.com)
• Client ID: The application (client) ID for authentication
• Client Secret: The client secret for authentication
• Default Status: Whether this is the default tenant

Switching Between Tenants

You can easily switch between configured tenants:

1. Navigate to the "Tenant Management" tab
2. Select the tenant you want to activate from the list
3. Click "Activate Selected Tenant"
4. The application will switch to the selected tenant and authenticate automatically

You can also specify a tenant to activate when launching the application:

Fido2UI.exe -Tenant "Contoso Tenant"

This will automatically activate the specified tenant configuration on startup.

Managing Passkeys

Viewing Existing Passkeys

To view existing passkeys for a user:

1. Ensure you're authenticated with Entra ID
2. In the User Search field, enter the user's UPN (e.g., user@domain.com)
3. Click "Search" to find the user
4. Select the user from the dropdown if multiple users are found
5. The user's existing passkeys will be displayed in the passkey list
6. You can see details such as:
7. Credential ID
8. Creation date
9. Last used date
10. Manufacturer information (if available)

Creating Passkeys

To create a new passkey for a user:

1. Search for and select the user as described above
2. Ensure a security key is connected to your computer
3. Select "login.microsoft.com" as the Relying Party
4. Click "Create Passkey"
5. Follow the prompts to register the security key
6. The new passkey will appear in the passkey list

Important: The passkey is created for the selected Relying Party (RP). For Entra ID applications, use "login.microsoft.com" as the RP.

Removing Passkeys

To remove a passkey:

1. Search for and select the user
2. Select the passkey you want to remove from the list
3. Click "Remove Passkey"
4. Confirm the removal when prompted
5. The passkey will be removed from the user's account

Note: Removing a passkey is permanent and cannot be undone. The user will no longer be able to authenticate using that passkey.

Provisioning Passkeys on Behalf of Users

One of the key features of Crayonic Credential Manager is the ability to provision passkeys on behalf of users. This is particularly useful for:

• Initial deployment of passwordless authentication
• Replacing lost or damaged security keys
• Onboarding new employees

Prerequisites for Provisioning

1. Administrator account with appropriate permissions
2. Physical access to the security key
3. User account details (UPN)

Provisioning Process

1. Authenticate with an administrator account
2. Search for the user you want to provision a passkey for
3. Connect the security key to your computer
4. Select "login.microsoft.com" as the Relying Party
5. Click "Create Passkey"
6. Follow the prompts to register the security key
7. The passkey is now provisioned and ready for the user

Best Practices for Provisioning

• Document the provisioning process for audit purposes
• Inform users when you provision passkeys on their behalf
• Consider implementing a formal handover process for security keys
• Regularly audit passkey assignments to ensure compliance with security policies

Troubleshooting

Common Issues and Solutions

Authentication Failures

Issue: "We couldn't sign you in" error during authentication

Solution: This typically occurs due to a Relying Party (RP) mismatch. Passkeys are bound to specific RPs - a passkey created for Windows login may not work for web applications. Ensure you're using the correct passkey for the authentication context.

Passkey Creation Failures

Issue: "The operation was canceled by the user" when creating a passkey

Solution: Ensure the security key is properly connected and responsive. Try disconnecting and reconnecting the key, or try a different USB port.

Issue: "Access denied" when creating a passkey

Solution: Verify that your account has the necessary permissions in Entra ID. You need Global Administrator, Authentication Administrator, or Privileged Authentication Administrator role.

User Search Issues

Issue: Cannot find a user in the directory

Solution: Ensure you're using the correct UPN format (user@domain.com). Check that the user exists in the current tenant and that your account has permissions to view user information.

Logging and Diagnostics

The application creates log files that can help diagnose issues:

• Location: Log files are stored in the application directory
• Files:
• Fido2UI_log.txt: General application logs
• EntraIdAuth_log.txt: Authentication-related logs
• PasskeyAuth_log.txt: Passkey operation logs

To enable verbose logging, launch the application in Admin mode and use the logging configuration options.

Advanced Configuration

Environment Variables

For automated or non-interactive authentication, you can set the following environment variables:

• ENTRA_TENANT_ID: Your Entra ID tenant ID
• ENTRA_CLIENT_ID: Application (client) ID for authentication
• ENTRA_CLIENT_SECRET: Client secret for authentication

Example PowerShell script to set these variables:

$env:ENTRA_TENANT_ID = "43256d89-cff8-4cf9-ac27-cde3dd02e6d4"
$env:ENTRA_CLIENT_ID = "16189696-d030-4add-a9c0-f9f7446abb8a"
$env:ENTRA_CLIENT_SECRET = "your-client-secret"

Command-Line Parameters

The application supports the following command-line parameters:

• -Admin: Launch in Admin mode with additional configuration options
• -Tenant <tenant-name>: Specify the tenant configuration to activate by name
• -LogLevel <level>: Set the logging level (Debug, Info, Warning, Error)

Examples:

# Launch in Admin mode with debug logging
Fido2UI.exe -Admin -LogLevel Debug

# Launch with a specific tenant configuration
Fido2UI.exe -Tenant "Contoso Tenant"

# Combine parameters
Fido2UI.exe -Admin -Tenant "Development Tenant" -LogLevel Info

Configuration File

Advanced settings can be configured in the Fido2UI.exe.config file:

• Location: In the application installation directory
• Format: XML configuration file
• Settings: Various application settings, logging configuration, etc.

Frequently Asked Questions

General Questions

Q: Can I use this tool with any Entra ID tenant?

A: Yes, the application works with any Entra ID tenant. You can configure multiple tenants in the Tenant Management tab and easily switch between them.

Q: How do I manage multiple tenants?

A: The application includes a Tenant Management feature that allows you to configure, save, and switch between multiple tenant configurations. You can access this feature in the Tenant Management tab when running in Admin mode.

Q: Does this tool work with security keys from any manufacturer?

A: Yes, the application works with any FIDO2-compatible security key, including those from Yubico, Feitian, Thetis, and others.

Q: Can I create passkeys for both Windows login and web applications?

A: Yes, but you need to select the appropriate Relying Party (RP) when creating the passkey. For Entra ID web applications, use "login.microsoft.com" as the RP.

Technical Questions

Q: What API does the application use to manage passkeys?

A: The application uses the Microsoft Graph API to manage passkeys in Entra ID, and the Windows WebAuthn API for local passkey operations.

Q: Can I automate passkey provisioning?

A: Yes, you can use the environment variables for non-interactive authentication and potentially script the application using PowerShell.

Q: Does the application support multi-factor authentication?

A: Yes, the application respects the MFA requirements configured in your Entra ID tenant.

Technical Reference

API Endpoints

The application uses the following Microsoft Graph API endpoints:

• /users: To search for users
• /users/{id}/authentication/fido2Methods: To manage FIDO2 security keys (passkeys)

Permissions Required

The application requires the following Microsoft Graph API permissions:

• User.Read: To read the profile of the signed-in user
• User.ReadBasic.All: To search for users in the directory
• UserAuthenticationMethod.ReadWrite.All: To manage authentication methods

Security Considerations

• The application uses secure authentication methods (OAuth 2.0, MSAL)
• Access tokens are stored in memory only and not persisted to disk
• All communication with Microsoft Graph API is encrypted using TLS
• The application follows the principle of least privilege

Relying Party IDs

Understanding Relying Party (RP) IDs is crucial for passkey management:

• Windows Login: Typically uses a Windows-specific RP ID
• Web Applications: Uses the domain name (e.g., "login.microsoft.com")
• Entra ID Applications: Uses "login.microsoft.com" for web authentication

Passkeys are bound to specific RP IDs and cannot be used across different contexts.

---

© 2025 Crayonic. All rights reserved.