Authentication Method - FIDO2 security key - Enforce attestation

Why This Matters

Enforcing attestation for FIDO2 security keys ensures that only hardware-verified devices are registered in your organization. Without this enforcement, users could register non-compliant or potentially compromised security keys, weakening phishing-resistant authentication and increasing the risk of credential theft.

What Aether365 Checks

This check verifies that the isAttestationEnforced setting is enabled in the FIDO2 authentication method configuration within your Microsoft Entra ID tenant. You can see the status of this check in the Aether365 dashboard under the entra-id security scans.

How to Fix

To enforce attestation for FIDO2 security keys, use the Azure portal:

Microsoft references

How to enable passkey fido2
Fido2authenticationmethodconfiguration
[Graph explorer](https://developer.microsoft.com/en-us/graph/graph-explorer?request=policies/authenticationMethodsPolicy/authenticationMethodConfigurations()

Authentication Method - FIDO2 security key - Enforce attestation ​

Why This Matters ​

What Aether365 Checks ​

How to Fix ​

Microsoft references ​

Authentication Method - FIDO2 security key - Enforce attestation

Why This Matters

What Aether365 Checks

How to Fix

Microsoft references