Policy setup

Recommended Entra ID configuration

Your Entra ID setup is ultimately your organisation's responsibility and decision. This guide helps you configure the minimum requirements for the migration helper to work.

You need a minimum of three Conditional Access policies to enforce passkeys safely across desktop and mobile operating systems. A customised checklist populated with your group IDs is available in the Admin portal.

Policy 1: Passkey validation app

Protect the helper validation app so users must complete a phishing-resistant passkey check every time.

  • Users include: All users
  • Target resources: Passkey Migration Helper - Always Require Passkey app (46eadcca-e1c2-45a6-b44e-a193c201d78b)
  • Grant: Require Authentication strength → Phishing-resistant MFA
  • Session: Sign-in frequency = Every time

Policy 2: Desktop operating systems

Enforce passkeys for Windows, macOS, and Linux users in your enforcement group.

  • Users include: Enforcement group ID from your helper configuration
  • Users exclude: Break-glass accounts; optionally exclude your users-with-issues group during rollout
  • Target resources: Include all cloud apps
    • Optional exclude (passkey interrupt wizard): Windows Azure Active Directory (00000002-0000-0000-c000-000000000000), Azure Credential Configuration Endpoint Service (ea890292-c8c8-4433-b5ea-b09d0668e1a6)
  • Conditions → Device platforms: Include any device; exclude iOS and Android
  • Grant: Require Authentication strength → Phishing-resistant MFA

Policy 3: Mobile operating systems

Cover mobile sign-ins with the same enforcement group and a mobile-only policy.

  • Users include: Enforcement group ID from your helper configuration
  • Users exclude: Break-glass accounts; optionally exclude your users-with-issues group and incompatible devices group during rollout
  • Target resources: Include all cloud apps
    • Optional exclude (passkey interrupt wizard): Windows Azure Active Directory (00000002-0000-0000-c000-000000000000), Azure Credential Configuration Endpoint Service (ea890292-c8c8-4433-b5ea-b09d0668e1a6)
    • Optional exclude (iOS out-of-box enrollment): Microsoft Intune (0000000a-0000-0000-c000-000000000000), Microsoft Intune enrollment (d4ebce55-015a-49b5-a083-c84d1797ae8c)
  • Conditions → Device platforms: Include any device; exclude Windows, macOS, and Linux
  • Grant: Require Authentication strength → Phishing-resistant MFA
Questions? Reach us at passkey@a2g-cyber.com.