This post is going to be really simple to follow. Some videos I created that will explain what the steps are to activate the FIDO2 authenticating options for our users in Azure AD, and then how a user can proceed and register a FIDO2 key and use it to log into office.com.
First, as an admin, you need to activate the authentication option for the users. You can create a group and allow just that group, or even just some users. In this example, I will allow it to all the users:
Once we have done this, the users will be able to activate a FIDO2 key in their profile, in the security info section.
And this below would be the result when you log into a Microsoft site using a FIDO2 key:
And that’s all! Pretty easy, huh?
In terms of security, since we still need a PIN to activate the FIDO2 Key, it would be comparable to the Windows Hello PIN option. Notice that you have FIDO2 keys with thumbprints reader, so you can increase the security adding some biometrics.
Let me know in the comments if you have any question.