Securing Entra ID with YubiKey: How to Set Up and Sign In with Your Security Key

Passwords alone are no longer enough. Phishing attacks, password reuse, and credential stuffing continue to plague organizations. Microsoft Entra ID (formerly Azure AD) supports strong phishing-resistant authentication methods, and one of the most practical options is using a FIDO2-compliant security key like YubiKey.

In this guide, we’ll walk through how to set up YubiKey with Entra ID and demonstrate how a user signs in with the key.

---

Why Use YubiKey with Entra ID?

• Phishing-resistant: YubiKeys use public-key cryptography, so credentials can’t be stolen via fake login pages.
• Passwordless experience: Tap your YubiKey, enter a PIN, and you’re in — no password required.
• Portable security: Works across devices, browsers, and even when offline in some scenarios.
• Compliance ready: Helps meet strong authentication requirements (FIDO2, NIST, EU NIS2, etc.).

---

Prerequisites

Before we start, make sure you have the following in place:

• A Microsoft Entra ID tenant (any edition, but Microsoft 365 E3/E5 or Azure AD Premium P1/P2 recommended for Conditional Access).
• Global Admin or Authentication Policy Admin permissions.
• A FIDO2-compliant security key (e.g., YubiKey 5 Series, YubiKey Bio).
• A supported browser (latest Edge or Chrome).
• Entra ID security defaults turned off (or custom Conditional Access in place).

---

Step 1: Enable FIDO2 Security Keys in Entra ID

1. Sign in to the Microsoft Entra admin center.

2. Navigate to:
   Protection → Authentication methods → Policies.

3. Under FIDO2 Security Key, click Enable.

4. Choose the scope:
   • All users, or
   • A pilot group (recommended for testing). For Testing I will select my testing account only. I will select a Pilot group called “sg-fido-pilot)

5. Configure Target settings:
   • Enforce Attestation: Yes (ensures the key is trusted).
   • Allow self-service setup: Yes.
   • Restrict specific key models (optional).

6. Save the policy.

---

Step 2: Register a YubiKey with a User Account

1. The user signs into MySecurityInfo portal: https://mysignins.microsoft.com/security-info.

2. Click + Add method → select Security key.

3. Choose USB device (if using a USB YubiKey) or NFC device (for mobile sign-in).

4. Insert the YubiKey into the device’s USB port (or tap via NFC).
5. Follow the browser prompts:

5. Set a PIN for the YubiKey (first-time setup only).

5. Tap the YubiKey’s gold sensor when prompted.
6. Give the security key a friendly name (e.g., “Shaun’s YubiKey”).

7. Registration complete.

---

Step 3: Sign in to Microsoft 365 with YubiKey

1. Go to https://office.com or any Microsoft 365 app.
2. Enter your email address.
3. When prompted for authentication, choose Sign in with security key.

4. Insert your YubiKey and enter your PIN. You will get a “Windows Security” Popup select “Security key”

5. Touch the YubiKey’s sensor.

6. Access granted — no password needed.

---

Step 4: Use YubiKey with Conditional Access (Optional)

To strengthen your setup:

1. In Entra admin center, go to Protection → Conditional Access.

2. Create a new policy:
   • Assignments: Choose users/groups.
   • Cloud apps: Microsoft 365 or All apps.
   • Grant controls: Require authentication strength → select Phishing-resistant MFA.

3. Save and enforce.

Now, users can only access sensitive apps by using YubiKey (or Windows Hello for Business).

Lets do another sign-in after the Conditional Access policy has been applied. As you can see from the image below, we don’t get prompted for password and straight to sign in with passkey.

---

Real-World Example

One of my customers recently rolled this out for contractors. Instead of issuing complex onboarding for MFA apps, they handed out pre-configured YubiKeys. Contractors could log in immediately with a tap — no phone enrollment needed. This eliminated delays, simplified support, and gave IT airtight control.

---

Final Thoughts

Integrating YubiKey with Entra ID is a quick win for passwordless security. It reduces reliance on weak credentials and meets compliance requirements, all while giving users a smooth login experience.

If you’re serious about phishing-resistant MFA, YubiKey + Entra ID should be at the top of your roadmap.

---

About the Author

I’m Shaun Hardneck, a Microsoft 365 & Azure Security Specialist and the writer behind ThatLazyAdmin.com. I help organizations secure and modernize their Microsoft environments with practical, real-world solutions.