Microsoft Entra ID strengthens security with FIDO2 APIs

laptop with YubiKey

Yubico has worked closely with Microsoft for over a decade to keep businesses around the world and the Microsoft solutions they use both secure and phishing-resistant. Recognizing the importance of multi-factor authentication (MFA), Microsoft recently mandated that MFA be used by all Azure users – a critical move to require stronger authentication for end users to prevent phishing attacks. 

Yubico applauds the mandate and encourages organizations to not only satisfy the MFA mandate, but also expand the use of modern MFA beyond only Azure users while moving past phishable MFA solutions. Organizations must protect all their resources and should be applying policies to all users and all applications with Conditional Access Policy Authentication Strengths, requiring phishing-resistant MFA solutions like the YubiKey.

Continuing this trend of focusing on phishing-resistance, Microsoft just announced Microsoft Entra ID FIDO2 provisioning APIs that give organizations the option to develop or leverage alternative administrator-led provisioning clients that support the setup of hardware security keys, like the YubiKey. Before this update, organizations were limited to requiring users to register their own security keys. This left gaps for many organizations that wanted to mature in their journey in becoming a phishing-resistant organization, which often required users to sign-in with a phishable authentication method like a Temporary Access Pass in order to register their YubiKey. 

While this may have worked for some, more diverse and multinational entities and government agencies have long sought after the ability to do the provisioning on-behalf of their users. Now, users can be onboarded into an organization or can recover their account without ever having to downgrade to a phishable authentication method. 

Yubico is proud to have partnered with Microsoft in supporting the development of these APIs. Yubico has worked to ensure that the provisioning of YubiKeys fits seamlessly into this release and Yubico now shares a GitHub project with a sample of how customers can leverage the new Microsoft Graph APIs.

At Microsoft, we are committed to providing the highest levels of protection for our customers,” said Natee Pretikul, principal product management lead at Microsoft Security. “Phishing-resistant multi-factor authentication (MFA) is a critical component to a healthy and secure cybersecurity practice for any organization. Through our FIDO2 Provisioning API integration with Yubico solution, our enterprise customers can quickly implement YubiKey, enhancing employee protection more efficiently. Together, we are empowering our customers to safeguard their digital identities and protect their data against ever-evolving threats.”

With Microsoft’s proven commitment to driving the highest security for users, and through our integration with Entra ID, YubiKeys offer a seamless, robust solution that not only strengthens security but simplifies the user experience. YubiKeys enable enterprises to create phishing-resistant users who use authentication that seamlessly moves with users across devices, services and business scenarios.

Effectively using YubiKeys across the Microsoft ecosystem

With strong two-factor, multi-factor and passwordless authentication, YubiKey’s integration across the Microsoft ecosystem is the best defense against account takeovers. While MFA is a strong first line of defense, not all forms are equally secure. Legacy methods like passwords are easily hacked, and mobile-based authentication (SMS, OTP codes, push notifications) are vulnerable to phishing, malware, SIM swaps, and AiTM attacks. This is particularly important for Microsoft environments, where the integration of services like Azure, Microsoft 365, and Dynamics 365 means that an account takeover could have widespread implications. 

The risks that come from phishing attacks is exactly why the YubiKey is so important to today’s organization using Microsoft solutions. The YubiKey provides a bridge from legacy to modern authentication options and can be used for on-premises Smart Card deployments, authenticate access to apps in the cloud through FIDO2 and meet you where you are in your Microsoft journey. Since YubiKeys work across all your devices (including the Surface Pro 10 for Business), it makes authenticating a breeze for all, including mobile-restricted users, factory floor workers, healthcare workers, hotel staff and many more.

As cyber threats continue to evolve, our partnership with Microsoft ensures that we remain at the forefront of security innovation, delivering solutions that protect users and their data. We recommend that you prepare your organization for the Azure MFA mandate and review the Microsoft guidance to identify impacted users. Together, we can make phishing-resistant users in your organization a reality and ensure your enterprise stays secure.

Fully protect your organization by going beyond the mandate and enforcing phishing-resistant MFA for all your users and applications – leverage the built-in Authentication Strength for phishing-resistant MFA or build your custom Authentication Strength. Check out all the ways you can incorporate YubiKeys across the Microsoft ecosystem here.

Begin maturing towards a phishing-resistant organization by exploring how to best leverage the Microsoft FIDO2 registration APIs to support high-assurance onboarding and account recovery processes. Be sure to explore the sample GitHub project to accelerate integrating the APIs into your organization’s registration processes.

For more information and any questions on the Microsoft MFA Mandate, the new Microsoft Entra ID FIDO2 provisioning APIs and how to get started implementing YubiKeys for your business, contact our team here.

Talk to our teamTalk to our team

Share this article:


  • CEO Corner: Entering the second half of 2025 with momentumAs we continue to move further into the second half of 2025, I want to share a look back at our journey so far this year and as well as lay out Yubico’s strategic path ahead.  Resurgence in order growth and key segment wins While net sales declined for Q2, the end of the quarter […]Read moreCEOCEO CornerEarningsMattias Danielsson
  • Survey says: Your dog’s name isn’t a passwordWe all know we should be protecting our digital lives, but what are Americans actually doing? Yubico recently commissioned a survey, conducted by Talker Research, which asked 5,000 Americans in 10 major metro cities across the U.S. about their online security habits. Here’s a closer look at what they found (hint: they’re not as secure as they […]Read moreCompany Newssurvey
  • Passkeys are winning, but security leaders must raise the barPasswords are on their way out. In their place is a new form of login called passkeys that promises stronger security and less frustration. All passkeys offer the rare combination of improved usability and stronger security, especially when compared to passwords alone. But unless we act now, millions could be left more vulnerable than ever. […]Read moreDevice-bound passkeysHardware passkeypasskeyssynced passkeys
  • Your top YubiKey questions, answeredOver the 10+ years I’ve been at Yubico, I’ve had the pleasure of meeting customers, partners and many others talking about digital security. While every conversation is different, I am often asked many of the same questions about YubiKeys. One thing remains consistent: many people know they need better security, but they’re not sure what […]Read moreFAQYubiKey