James Vincent

Adding a Bitwarden Synced Passkey to an Entra ID account

Huzzah! Finally! Just in time for Christmas…

Microsoft recently announced the Public Preview of Synced Passkeys. Prior to this announcement, Microsoft only supported Passkeys that were tied to a device (Device Bound) and did not support the use of Passkeys which could be synchronised between platforms such as Bitwarden, 1Password or platforms without Microsoft Authenticator.

I know from being present and active on the Bitwarden forums that people are crying out for this. So, in this guide, I’ll show you how to configure Entra ID Authentication Methods to utilise Preview Authentication Profiles and enable Synced Passkeys. After which, I’ll demonstrate how to utilise Bitwarden to host a Passkey and use it across multiple devices.

Without further ado…

How to Enable Synced Passkey Support in Entra ID

Login to Microsoft Entra.

Click on Authentication Methods from the left-hand menu.

Click on Passkey (FIDO2).

You’ll notice at the top of the Passkey (FIDO2) settings page you have the option to “Begin opting-in to public preview“. You’ll need to click on this, as without Preview Support, you’ll not be able to utilise Synced Passkeys.

With the Preview functionality enabled, we now get “Passkey Profiles” under the Configure tab. You’ll also notice you have the “Allow self-service set-up” option, which is probably best being ticked. Without this enabled, users will not be able to register Passkeys.

What we need to do now is click on Add Profile and complete the Profile settings as desired. Whether you want to Target Specific AAGUID’s or not, is up to you. Enabling this option allows you to be a bit stricter on which Sync’able providers can be used.

Note: Ticking “Enforce Attestation” will prevent “Synced (Preview)” from being selectable in the Target Types drop down. For now, we cannot leverage attestation, which may put some larger enterprises or more risk-averse off.

Remember though, this is a Preview. So it’s unlikely you’re going to want this in production right now.

In the example below I have ticked “Target specific AAGUIDs” and limited this Profile to ONLY the Bitwarden AAGUID to the Model/Provider list.

The FIDO2 specification requires each security key vendor to provide an Authenticator Attestation GUID (AAGUID) during registration. An AAGUID is a 128-bit identifier indicating the key type, such as the make and model. Passkey (FIDO2) providers on desktop and mobile devices are also expected to provide an AAGUID during registration.

The Bitwarden AAGUID is: d548826e-79b4-db40-a3d8-11116f7e8349 (Reference).

And that’s all there is to the Profile configuration. So, after hitting Save, all you then need to do, is assign the profile. In the image below, I have a Security Group named “James Vincent (User)” with only my User Account assigned (purely for testing).

After assigning the Profile, I made a cup of tea and then returned to set about trying to register a shiny new “Synced Passkey”.

Registering a Synced Passkey to your Entra ID account

For sanity purposes, I launched an InPrivate session in Edge and hit up https://myaccount.microsoft.com/

I proceeded to Sign In.

From My Account, click on Security Info down the left hand menu.

Click Add sign-in method

Select “Passkey“. (Not, the option “Passkey in Microsoft Authenticator”)

Click Next on the “Sign in faster” prompt.

At this point, the Bitwarden extension should jump into play, and ask you which account you want to save this passkey to. Make sure you choose the correct account; else fun could ensue.

Give your Passkey a name/reference to help identify where this Passkey lives or originates from.

And where normally, you’d have had an error, you now get a pat on the back and a lovely “Passkey created” confirmation.

In Security Info you’ll now see the “Synced” Passkey – hurrah!

If we look in our Bitwarden Vault now, we can see the Passkey registered against the login details.

Using the Passkey stored in Bitwarden

The beauty of using a Private Browser session, is that closing it down, means all cookies etc are long gone.

I fired up another Private Session, and revisited https://myaccount.microsoft.com/

Immediately click “Sign-in Options

And then select “Face, Fingerprint, PIN or Security Key

Bitwarden should now kick in asking you to select a Passkey (registered to login.microsoft.com, of which I have many) that you wish to use to Sign-in.

…and there you have it!

Just for good measure, I also tested the synced aspect and attempted to login to https://myaccount.microsoft.com/ using my iPhone – with the same success.

It’s been a long time coming, but finally. I can store my Entra ID Passkeys in Bitwarden.

Yay!

James avatar

James

I am a UK based Modern Workplace Architect, with an enthusiasm for Device Management.

4 responses to “Adding a Bitwarden Synced Passkey to an Entra ID account”

  1. Hany E

    Hi James,

    Great article, I have followed it and it works up to the point of saving the passkey; after Bitwarden saves the passkey, Microsoft asks to name the passkey and this is when it comes up with an error “Passkey not registered” “This might be due to a timeout, a canceled request or a private browsing window.” … have you faced this issue or know what the solution is ? Is it Bitwarden related ? Is it some timeout or prompt that is not working ?

    Reply
    1. James

      Are you trying to add your “Passkey” on a device with Windows Hello enabled? Or have you previously marked the domain as “Always use Hardware Passkey” when Bitwarden originally prompted?

      Try adding it on your phone or A N Other device. My heads saying it’s a device specific issue.

      Reply
  2. Ron

    Thank you for the clear procedure which works with one modification. bitwarden ext must be active & it is not active in a “private edge session”. Thus, a private session will trigger Microsoft attempting to save the passkey locally.

    Or Edge installed extensions > BitWarden > Allow in Private

    Reply
    1. James

      This is a given. Bitwarden has to be running, of course.

      Reply

Leave a Reply

Your email address will not be published. Required fields are marked *