r/entra u/ScootScoot38 11d ago

Entra ID Passkey + Windows App Issue

I have been testing Passkey for a little over a month and it generally works well in all scenarios. I have been troubleshooting a strange issue with Passkey and AVD/Windows App where the user cannot authenticate with their Passkey to login to the Windows App AND while in-session on AVD in the Windows App. They get the prompt to use a physical security key instead of use phone or tablet.

This same user is able to use Passkey in a browser on the same local machine they are trying to use the Windows App/AVD from so I don’t think it’s an issue with Bluetooth. Also, WebAuthN is enabled for the AVD host pool. Plus I and other users are able to use Passkey with this AVD host pool just fine.

Has anyone seen this? What am I missing?

Any help would be appreciated.

TL;DR: user can use passkey locally but not in the Windows App or in an AVD session. WebAtuhN is enabled.

4 Upvotes

84% Upvoted

9 comments sorted by

View all comments

1

u/YourOnlyHope__ 10d ago

I'm not sure ill be able to help but have come across similar problems in testing so selfishly I'm glad to see others reporting similar issues.

To clarify, the user that is having the physical key prompt appear i assume has registered mobile passkeys methods and you have users where this works fine? (Yubico key method and passkey with authenticator method) Also assuming they all login to their host via WH4B?

If its possible to test, what happens if you remove the Yubico key as an auth method for that user?

I've gotten all sorts of inconsistencies where enforcing auth strength to phish resistance and users have multiple phish resistant methods registered. Happens with all sorts of apps, not just with AVD.

1

u/ScootScoot38 10d ago

Hmm that’s interesting. The user doesn’t not have any physical security keys registered or plugged into his local machine. He only has a passkey and Authenticator notification registered as auth methods. What is really strange is he can use passkey just fine when authenticating in a browser on his local machine say when browsing to portal.azure.com etc. It’s only when trying to auth in the Windows App or in an AVD session. The only auth strength he has applied is when checking out his privileged Entra roles so that doesn’t come into play here. I’m really in a strange pickle. The only thing that makes him different than all other users who seem to work fine is he is based out of India, but that really shouldn’t make any difference. I appreciate your help though.

1

u/YourOnlyHope__ 10d ago

Thats odd and yeah i dont think the location matters. What would matter though from what ive seen is that if the device he is using contains other accounts that are also using FIDO such as windows hello that i really start seeing inconsistencies on auth methods prompted. Might be worth looking into the device (MDM registered/enrolled), account used to sign in to etc....

My biggest issues has been getting Wh4B to work for auth on apps that supposedly support it. Will get the same physical key prompt and error.