Skip to content

JMarkstrom/entraYK

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

95 Commits
Private
Private
 
 
Public
Public
 
 
images
images
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
entraYK.psd1
entraYK.psd1
 
 
entraYK.psm1
entraYK.psm1
 
 
readme.txt
readme.txt
 
 

Repository files navigation

entraYK

ℹ️ About

entraYK is a PowerShell module for managing YubiKeys as device-bound passkeys (FIDO2) in Microsoft Entra ID.
Functionality includes the ability to:

⚠️ Disclaimer

The PowerShell module provided herein is made available on an "as-is" basis, without any warranties or representations, whether express, implied, or statutory, including but not limited to implied warranties of merchantability, fitness for a particular purpose, or non-infringement.

💻 Prerequisites

Use of the powershellYK module requires the following prerequisites be met:

  • PowerShell 7 (pwsh)

💾 Installation

To install entraYK:

  1. Open PowerShell
  2. Execute command: Install-Module entraYK
  3. Press Y when prompted to proceed with installation
  4. Execute command: Import-Module entraYK

📖 Usage

Configure the "Passkey (FIDO2)" authentication method

This Cmdlet (Set-YubiKeyAuthMethod) configures the "Passkey (FIDO2)" authentication method in Microsoft Entra ID. Importantly it configures the method for all users and it enforces FIDO device attestation with white-listing of YubiKeys. The Cmdlet can whitelist either all(!) FIDO2-capable YubiKeys or select YubiKey models as defined by their AAGUID. The Cmdlet will reject non Yubico AAGUIDs.

Enable the Passkey method defining all YubiKey models:

Set-YubiKeyAuthMethod -All

Enable the Passkey method defining a specific YubiKey model by AAGUID:

Set-YubiKeyAuthMethod -AAGUID "fa2b99dc-9e39-4257-8f92-4a30d23c4118"

Resulting Entra ID configuration:

NOTE: You can find YubiKey AAGUIDs here

Create a custom authentication strength definition

This Cmdlet (Set-YubiKeyAuthStrength) adds a custom authentication strength to Microsoft Entra ID. The Cmdlet can either add all YubiKeys (with firmware 5.7 or greater) or select YubiKey models as defined by their AAGUID. In addition to any defined YubiKey the Cmdlet will also add support for Temporary Access Pass (TAP) as a single use authenticator. The method created will be named "YubiKey" and can be selected in Conditional Access policies to require phishing-resistant MFA using YubiKeys as device-bound passkeys. An optional user-selected name can be provided using the -Name parameter.

Add a custom authentication strength using all YubiKey models with firmware 5.7+:

Set-YubiKeyAuthStrength -All

Add a custom authentication strength using only select YubiKey model(s) by their AAGUID(s):

Set-YubiKeyAuthStrength -AAGUID "fa2b99dc-9e39-4257-8f92-4a30d23c4118"

Add a custom authentication strength with your name of choice

Set-YubiKeyAuthStrength -All -Name "AAL3"

Resulting Entra ID configuration:

NOTE: You can find YubiKey AAGUIDs here

Register a YubiKey as device-bound passkey on behalf of a user or group

This Cmdlet (Register-YubiKey) performs Enrollment On Behalf Of (EOBO) AKA pre-registration with Microsoft Entra ID. The Cmdlet uses powershellYK for YubiKey configuration and credential creation. It will generate a random PIN (unless you specify one)—by default digits only (0-9); use -Alphanumeric for letters and digits. It names the YubiKey to contain Serial Number for asset tracking purposes, and where supported it will set the ForceChangePin flag and enable Restricted NFC. Programming output is presented on screen, as well as written to an output file (output.csv) in the user's working directory. The -User parameter accepts a User Principal Name (UPN) only, not an Entra object ID.

💡 When using the -Group parameter, you will need a separate YubiKey for each group member.

Register a YubiKey on behalf of a single user:
This command (and the equivalent group command) will use a random 4-character numeric PIN by default.

Register-YubiKey -User "[email protected]"

Register with a random alphanumeric PIN (same default length 4, or combine with -PinLength):

Register-YubiKey -User "[email protected]" -Alphanumeric

Register YubiKeys for all members of a group:

Register-YubiKey -Group "Users"

Register a YubiKey on behalf of a single user with a 6-character random PIN:
This command (and the equivalent group command) sets the minimum PIN length to match the selected length. Unless you pass -Alphanumeric, the PIN uses digits only.

Register-YubiKey -User "[email protected]" -PinLength 6

Register a YubiKey on behalf of a single user with a fixed PIN:

Register-YubiKey -User "[email protected]" -Pin "1234"

Register YubiKeys for all members of a group using a fixed PIN for all users:

Register-YubiKey -Group "Users" -Pin "1234"

Sample output:

UPN,Model,Serial Number,PIN
[email protected],YubiKey 5C NFC,23616243,7391
[email protected],YubiKey 5C NFC,17735649,2846

NOTE: When using -Group, ensure you have a sufficient supply of YubiKeys (one per group member). The cmdlet will prompt you to insert a new YubiKey for each user during the registration process.

NOTE: Some YubiKeys enforce a higher minimum PIN length than the default random PIN. If a FIDO2 PIN is already set on the key, the cmdlet resets FIDO2 first and re-reads the device minimum before validating -PinLength or -Pin.

List YubiKey attributes for all or select user(s)

This Cmdlet (Get-YubiKeys) lists properties about enrolled YubiKeys in Microsoft Entra ID. It can perform this listing either for all accessible users or for select user(s) by User Principal Name (UPN). Information presented includes firmware version, nickname as well as Fido certification level.

Get YubiKey information for all users you have access to in the tenant:

Get-YubiKeys -All

Get YubiKey information for a single user:

Get-YubiKeys -User "[email protected]"

Sample output:

UPN                Nickname        Firmware      Certfication
-------------------------------------------------------------
[email protected]    YubiKey 5 Nano  5.7           L2
[email protected]      YubiKey 5 NFC   5.7           L2
[email protected]     YubiKey 5C NFC  5.2 / 5.4     L1

NOTE: The logic to present firmware version is dependent on Entra ID storing YubiKey AAGUID. Because AAGUIDs does not necessarily change with firmware version it is possible that a YubiKey is either one firmware or another as shown above (5.2 / 5.4).

📖 Roadmap

Possible improvements includes:

  • Passkey "EOBO" enrollment using powershellYK
  • Add -Name param for Set-YubiKeyAuthStrength
  • Create a Conditional Access Policy
  • Create Kerberos object (pending Microsoft PS Core support)
  • Ability to fetch last used authenticator by UPN

🥷🏻 Contributing

You can help by getting involved in the project, or by donating (any amount!).
Donations will support costs such as domain registration and code signing (planned).

Donate

📜 Release History

  • 2026.04.12 v1.0.0
  • 2025.11.08 v0.9.0
  • 2025.03.19 v0.8.0
  • 2025.03.18 v0.7.0
  • 2025.03.18 v0.6.0
  • 2025.03.17 v0.5.0
  • 2025.02.01 v0.4.0
  • 2025.02.01 v0.3.0
  • 2025.01.28 v0.2.0
  • 2025.01.26 v0.1.0

About

PowerShell module for managing YubiKeys as device-bound passkeys (FIDO2) in Microsoft Entra ID

swjm.blog

Topics

yubikey fido2 entra passkeys entraid

Resources

Readme

License

BSD-2-Clause license
Activity

Stars

3 stars

Watchers

1 watching

Forks

1 fork
Report repository

Releases 9

1.0.0 Latest
Apr 12, 2026
+ 8 releases

Packages

 
 
 

Contributors

Languages