top of page
Writer's pictureJohn Craddock

Using a USB Yubikey 4 for MFA with Azure AD

Updated: Sep 14, 2018

I have often been asked about how could we provide MFA for users were they either don’t have a phone or they are in area with no mobile signals – from my days of working in cages on the floor of a datacentre I know the problems.


One solution which I think is neat and elegant is to use a Yubikey 4, this combined with the Yubico Authenticator app gives you all you need.


Caveat: I can’t find any solid reinforcing documentation and consequently do not know if it is a supported solution. If you use it in your environment, it is down to you to check on support and security.

Update: Daniel Stefaniak from Microsoft point me to some documentation here

Update: The QR Scan is now working perfectly with the new security info UI experience. For details on the preview UI take a look here



Step 1: Purchase a Yubikey 4. https://www.yubico.com for details.


Yubikey 4

Step 2: In the Azure AD portal go to Users | Multi-Factor Authentication | service settings and enable " Verification code from mobile app or hardware token"


Make sure verification codes are enabled

Step3: Install the Authenticator App from https://www.yubico.com/products/services-software/download/ and insert the key. You may need to restart the app after inserting the key.


Yubico Authenticator App

Step 4: Make sure that the preview features for registering and managing security info (see the wrap-up below) are not enabled for the user. Send the user to "MyApps | Profile | Additional security verification" or via the direct link https://aka.ms/mfasetup to register their security settings.


Verifying the security settings

Step 5: Select the Authenticator app and click configure, click on Configure app without notification and you will get a second QR code.

Step 6: Here's some magic, in the Yubico Authenticator App, click File | Scan QR code… If you watch really carefully you will see a scanner come out of your screen and snag the QR code. If you don’t believe in magic, shame, you could put it down to a screen scrape.


Getting the credentials

Step 7: Now that the credentials have been captured, confirm and save the settings, you will need a code from your authenticator. You could also choose the Yubikey as the default verification option.


Step 8: Use your new MFA option...


Signing-in

Wrap-Up


If you are using the new preview of the combined SSPR and MFA security registration, scan the QR Code and you are all set, see the screenshots below. When I first tested this the Authenticator would not scan the code, it now works perfectly.


I really must get on with preparing for my Microsoft Ignite sessions, I hope to see you there! Please follow me on Twitter @john_craddock and let me know if you found this blog post useful.


New Security info UI


3,154 views0 comments

Comments


bottom of page