3 Issuing passkeys with Microsoft Entra

You can use Microsoft Entra as the authentication server for issuing passkeys, while still using MyID CMS for credential management.

Within Entra, you require an Enterprise Application registered to allow the MyID server to access the APIs. You require information about this application when you set up the external system that allows MyID to communicate with the Entra server; see section 3.7.3, Setting up the external system.

A primary requirement for MyID to issue passkeys with Microsoft Entra is that there is a link between the user's Entra account and their MyID account.

One way to achieve this is to add the ObjectGUID of the user's account in Entra to the MyID CMS database. Currently, the user’s Entra ID ObjectGUID is not typically available in an on-premise Active Directory, so you cannot synchronize it into the MyID database automatically.

This means that to add the Entra ObjectGUID to MyID, you must use one of the following processes:

• Register the passkey using the MyID Self-Service Request Portal configured to use Microsoft Entra for authentication.

  See section 3.1, Registering the Entra ID using the Self-Service Request Portal.

  This is the recommended method for this release, as the Entra ObjectGUID is added to the MyID database automatically when you use Entra for authentication to the Self-Service Request Portal. If you want to use an alternative method of issuing the passkey, you must add the ObjectGUID to the person's MyID account first.

• Add the Entra ObjectGUID to the user's MyID account using the MyID Operator Client.

  See section 3.2, Updating the Entra ID using the MyID Operator Client.

• Add the Entra ObjectGUID to the user's MyID account using the MyID Core API.

  See section 3.3, Updating the Entra ID using the MyID Core API.

• Add the Entra ObjectGUID to the user's MyID account by updating the MyID database directly.

  See section 3.4, Updating the Entra ID in the database directly.

Alternatively, MyID also supports the use of the User Principal Name as the matching criteria to Entra ID; in this case, as the User Principal Name may already be known to your MyID system through Active Directory synchronization, you do not need to add the Entra ObjectGUID manually or through the Self-Service Request Portal.

Once you have configured MyID to link the user's Entra account to the their MyID account, you can issue passkeys using a variety of standard MyID issuance processes, including:

• Creating an issuance request in MyID, with MyID authentication as an alternative to Entra authentication during the registration process.

• Using smart card logon as authentication to collect the passkey.

• Through the Self-Service Request Portal with certificate-based authentication (derived credentials). When you use this method, if the certificate used for authentication has been issued by a different system, the UPN of the user account in Entra must be present in the certificate that initiates the request.

You can view a person's Entra ID on the Account tab of the View Person screen in the MyID Operator Client; by default, the Entra ID is stored in the External Reference ID 1 field, but you can also use the External Reference ID 2 and External Reference ID 3 fields.

Note: The registration process currently uses a combination of the Self-Service Request Portal web page and installed MyID client software (MyID Client Services) – however, at this time, collection using the MyID Self-Service App or MyID Desktop is not supported.

You must carry out the following to configure your system to issue passkeys with Microsoft Entra:

• Configure your Microsoft Entra system.

  See section 3.5, Configuring Microsoft Entra.

• Configure the Self-Service Request Portal.

  See section 3.6, Configuring the Self-Service Request Portal.

• Configure your MyID system.

  See section 3.7, Configuring MyID to issue passkeys using Microsoft Entra.