Using security keys like FIDO2 keys when you are logging in to a service helps you go password-less. Security keys is not only for end user, it can also be for administrators that are logging into a web service, in this case Microsoft Endpoint Manager admin center.
In this blog post I will walk you through setting you Azure Active Directory tenant up to allow FIDO keys, creating a Intune Admin user with only rights to Intune and how the IT Admin end user experience is.
Role Based Access Control (RBAC) is important for many Enterprises but I still see users that are not being Global Admin in a tenant using extra security, so that is the main reason I created this blog post to show a new way of securing your privileged roles inside your Azure Active Directory.
It is important to start looking at going password less, for the normal user Windows Hello for Business on Windows 10 is starting to get adopted. So to find a solution that also is working for administrators I think that FIDO2 keys is a nice and easy way to getting started. You should not give up on Conditional Access and MFA just because you are looking at other solutions.
Requirements:
- Azure Multi-Factor Authentication
- Combined security information registration preview
- Compatible FIDO2 security keys
- WebAuthN requires Windows 10 version 1809 or higher**
Setting up your tenant for security keys:
If your tenant already is setup to use security keys your can skip this part.
Start the Azure Active Directory admin center
- Click Azure Active Directory
- Click Security
- Click Authentication methods
- Click FIDO2 Security key
- Click Enable
- Enforce key restriction to no (when you are starting test)
- Click Save
Now you are ready to have your users to enroll there FIDO2 Security keys.
Setup a Azure Active Directory user as Intune Administrator
In this part of the blog post I will walk trough setting up a standard user in AzureAD with role based access control (RBAC).
Start the Azure Active Directory admin center go to users and find your standard user you want to make an Intune Administrator
- Click Assigned roles
- Search Intune
- Select Intune administrator
Now your standard user has access as an Intune administrator
User registration and management of FIDO2 security keys
Start My Account sign in with your new Intune administrator
- Click Update Info in the Security info title
- Click Add method – to add your FIDO2 Security Key
- Select Security Key
Click Add
- Select USB device in my case I have a USB FIDO2 Security Key
- Click Next (Then you will be validated with Azure MFA)
Click Next
Inset your FIDO2 Security Key
- Click Ok
- Click Ok
It will look after your FIDO2 Security Key
Continue setup
- Enter a PIN for this Security Key
- Re-enter your Pin
- Click Ok
- Click Next
- Enter a name for your security Key
- Click Next
- Click Done
Now you are all done and ready to use the FIDO2 Security Key for sign in
How does it looks like from the IT admin end user perspective
Start Microsoft Endpoint Manager admin center
- Click “Sign in with a security key” – do not enter you username
You are getting prompted to insert your security key into the USB port
- Enter your Security Key PIN
- Click Ok
Touch your Security Key
Now you will be logged into the portal with your Intune administrator with out entering the password.
Se my video of the IT admin end user experience logging into Microsoft Endpoint Manager admin center
Happy testing
Read more:
Enable passwordless security key sign in (preview)
Cloud First 
Per, when will it be possible to lock the machine when removing the key?