Microsoft strengthens phishing-resistant security for Entra ID with FIDO2 provisioning APIs

laptop with YubiKey

Yubico has worked closely with Microsoft for over a decade to keep businesses around the world and the Microsoft solutions they use both secure and phishing-resistant. Recognizing the importance of multi-factor authentication (MFA), Microsoft recently mandated that MFA be used by all Azure users – a critical move to require stronger authentication for end users to prevent phishing attacks. 

Yubico applauds the mandate and encourages organizations to not only satisfy the MFA mandate, but also expand the use of modern MFA beyond only Azure users while moving past phishable MFA solutions. Organizations must protect all their resources and should be applying policies to all users and all applications with Conditional Access Policy Authentication Strengths, requiring phishing-resistant MFA solutions like the YubiKey.

Continuing this trend of focusing on phishing-resistance, Microsoft just announced Microsoft Entra ID FIDO2 provisioning APIs that give organizations the option to develop or leverage alternative administrator-led provisioning clients that support the setup of hardware security keys, like the YubiKey. Before this update, organizations were limited to requiring users to register their own security keys. This left gaps for many organizations that wanted to mature in their journey in becoming a phishing-resistant organization, which often required users to sign-in with a phishable authentication method like a Temporary Access Pass in order to register their YubiKey. 

While this may have worked for some, more diverse and multinational entities and government agencies have long sought after the ability to do the provisioning on-behalf of their users. Now, users can be onboarded into an organization or can recover their account without ever having to downgrade to a phishable authentication method. 

Yubico is proud to have partnered with Microsoft in supporting the development of these APIs. Yubico has worked to ensure that the provisioning of YubiKeys fits seamlessly into this release and Yubico now shares a GitHub project with a sample of how customers can leverage the new Microsoft Graph APIs.

At Microsoft, we are committed to providing the highest levels of protection for our customers,” said Natee Pretikul, principal product management lead at Microsoft Security. “Phishing-resistant multi-factor authentication (MFA) is a critical component to a healthy and secure cybersecurity practice for any organization. Through our FIDO2 Provisioning API integration with Yubico solution, our enterprise customers can quickly implement YubiKey, enhancing employee protection more efficiently. Together, we are empowering our customers to safeguard their digital identities and protect their data against ever-evolving threats.”

With Microsoft’s proven commitment to driving the highest security for users, and through our integration with Entra ID, YubiKeys offer a seamless, robust solution that not only strengthens security but simplifies the user experience. YubiKeys enable enterprises to create phishing-resistant users who use authentication that seamlessly moves with users across devices, services and business scenarios.

Effectively using YubiKeys across the Microsoft ecosystem

With strong two-factor, multi-factor and passwordless authentication, YubiKey’s integration across the Microsoft ecosystem is the best defense against account takeovers. While MFA is a strong first line of defense, not all forms are equally secure. Legacy methods like passwords are easily hacked, and mobile-based authentication (SMS, OTP codes, push notifications) are vulnerable to phishing, malware, SIM swaps, and AiTM attacks. This is particularly important for Microsoft environments, where the integration of services like Azure, Microsoft 365, and Dynamics 365 means that an account takeover could have widespread implications. 

The risks that come from phishing attacks is exactly why the YubiKey is so important to today’s organization using Microsoft solutions. The YubiKey provides a bridge from legacy to modern authentication options and can be used for on-premises Smart Card deployments, authenticate access to apps in the cloud through FIDO2 and meet you where you are in your Microsoft journey. Since YubiKeys work across all your devices (including the Surface Pro 10 for Business), it makes authenticating a breeze for all, including mobile-restricted users, factory floor workers, healthcare workers, hotel staff and many more.

As cyber threats continue to evolve, our partnership with Microsoft ensures that we remain at the forefront of security innovation, delivering solutions that protect users and their data. We recommend that you prepare your organization for the Azure MFA mandate and review the Microsoft guidance to identify impacted users. Together, we can make phishing-resistant users in your organization a reality and ensure your enterprise stays secure.

Fully protect your organization by going beyond the mandate and enforcing phishing-resistant MFA for all your users and applications – leverage the built-in Authentication Strength for phishing-resistant MFA or build your custom Authentication Strength. Check out all the ways you can incorporate YubiKeys across the Microsoft ecosystem here.

Begin maturing towards a phishing-resistant organization by exploring how to best leverage the Microsoft FIDO2 registration APIs to support high-assurance onboarding and account recovery processes. Be sure to explore the sample GitHub project to accelerate integrating the APIs into your organization’s registration processes.

For more information and any questions on the Microsoft MFA Mandate, the new Microsoft Entra ID FIDO2 provisioning APIs and how to get started implementing YubiKeys for your business, contact our team here.

Talk to our teamTalk to our team

Share this article:


  • Introducing new features for Yubico Authenticator for iOSWe’re excited to share the new features now available for Yubico Authenticator for iOS in the latest app update on the App Store. Many of these improvements aim to address frequently requested features from our customers, while providing additional new functionalities for a seamless authentication experience on iOS.  With increased interest in going passwordless and […]Read moreiOSYubico Authenticator
  • Platform independent digital identity for all Many are understandably concerned that the great invention called the Internet, initially created by researchers for sharing information, has become a major threat to democracy, security and trust. The majority of these challenges are caused by stolen, misused or fake identities. To mitigate these risks, some claim that we have to choose between security, usability […]Read moreDigital IdentityEUDIFounderStina Ehrensvard
  • Q&A with Yubico’s CEO: Our move to the main Nasdaq market in StockholmAs 2024 draws to a close, it’s the perfect time to reflect on the incredible journey we’ve had this year and how it has shaped where we stand today as a company. To mark this moment, I sat down with our CEO, Mattias Danielsson, to look back on the milestones and achievements of 2024—culminating in […]Read moreCEOMattias Danielsson
  • Exploring DORA: A look at the next major EU mandateFinancial institutions have historically managed operational risk using capital allocation, but under EU Regulation 2022/2554 – also known as the Digital Operational Resilience Act (DORA) – the financial sector and associated entities in the European Economic Area (EEA) must also soon follow new rules. These new rules focus on the protection, detection, containment, and the […]Read moreDORAEU