Using security keys like FIDO2 keys when you are logging in to a service helps you go password-less. Security keys is not only for end user, it can also be for administrators that are logging into a web service, in this case Microsoft Endpoint Manager admin center.
In this blog post I will walk you through setting you Azure Active Directory tenant up to allow FIDO keys, creating a Intune Admin user with only rights to Intune and how the IT Admin end user experience is.

Role Based Access Control (RBAC) is important for many Enterprises but I still see users that are not being Global Admin in a tenant using extra security, so that is the main reason I created this blog post to show a new way of securing your privileged roles inside your Azure Active Directory.

It is important to start looking at going password less, for the normal user Windows Hello for Business on Windows 10 is starting to get adopted. So to find a solution that also is working for administrators I think that FIDO2 keys is a nice and easy way to getting started. You should not give up on Conditional Access and MFA just because you are looking at other solutions.

Requirements:

Setting up your tenant for security keys:

If your tenant already is setup to use security keys your can skip this part.

Start the Azure Active Directory admin center

1. Click Azure Active Directory
2. Click Security

1. Click Authentication methods

1. Click Enable
2. Enforce key restriction to no (when you are starting test)
3. Click Save

Now you are ready to have your users to enroll there FIDO2 Security keys.

Setup a Azure Active Directory user as Intune Administrator

In this part of the blog post I will walk trough setting up a standard user in AzureAD with role based access control (RBAC).

Start the Azure Active Directory admin center go to users and find your standard user you want to make an Intune Administrator

1. Search Intune
2. Select Intune administrator

Now your standard user has access as an Intune administrator

User registration and management of FIDO2 security keys

Start My Account sign in with your new Intune administrator

1. Click Update Info in the Security info title

1. Click Add method – to add your FIDO2 Security Key

Click Add

1. Select USB device in my case I have a USB FIDO2 Security Key

1. Click Next (Then you will be validated with Azure MFA)

Click Next

Inset your FIDO2 Security Key

It will look after your FIDO2 Security Key

Continue setup

1. Enter a PIN for this Security Key
2. Re-enter your Pin
3. Click Ok

1. Enter a name for your security Key
2. Click Next

Now you are all done and ready to use the FIDO2 Security Key for sign in

How does it looks like from the IT admin end user perspective

Start Microsoft Endpoint Manager admin center

1. Click “Sign in with a security key” – do not enter you username

You are getting prompted to insert your security key into the USB port

1. Enter your Security Key PIN
2. Click Ok

Touch your Security Key

Now you will be logged into the portal with your Intune administrator with out entering the password.

Se my video of the IT admin end user experience logging into Microsoft Endpoint Manager admin center

Happy testing

Read more:

Enable passwordless security key sign in (preview)