Hi all, can anyone tell me why I would want to limit or enforce key (passkeys like yubi key, ect) to specific AAGUID devices? Should I care what FIDO keys people use to save pass keys on?

wow crazy you brought this up. I literally had this discussion with my team today. You don’t really have a choice if you want to use Authenticator as a passkey. The authentication methods for passkeys(FIDO2) require you to use the AAGUID for iOS and android, as well as any other FIDO2 key you may have in use. Once you have this you need to ensure all of the AAGUIDs are in your strong authentication methods for conditional access. I had to add all of my AAGUIDs for all yubikeys in use as well as the iOS and android passkeys

funny, that's what im playing with. However, I can confirm I was able to get the authenticator app to work with the "enforce key restrictions" set to no.

and we used the get-passkeyDeviceBoundAAGUID cmdlet to get all the guids in use

However, do note that it was set to Yes at one point so that the Microsoft authenticator AAGUIDS are there from the previous yes. This works with the auth app as a passkey

Because I never got the option to add a passkey until I added this with Yes and added the Authenticator checkbox

This works currenlty, yes

well I’d probably stick with that. I’m afraid management of the AAGUIDS will be difficult

But my bigger questions is why would I want to limit to certain vendors via aaguids

just so you don’t have a bad actor trying to add a malicious hardware token

Where did you run "get-passkeyDeviceBoundAAGUID" to get the AAGUIDs? AD azure powershell?

graph. One sec