EntraID | Pre-registering FIDO2 Authenticator for EntraID User – Taglio PIVKey

In this guide, we will walk through the process of pre-registering a FIDO authenticator with Microsoft Entra ID.

Pre-registration allows administrators to associate authenticators with user accounts before first sign-in, simplifying onboarding and enabling ready-to-use security keys for enterprise deployments.

Pre-registering authenticator with EntraID

Pre-requisites

EntraID is configured for CredConnect, and CredConnect is provisioned with the EntraID credentials [Setting up EntraID for Secupas CredConnect]
CredConnect App is downloaded and installed

EntraID Pre-reg overview

The EntraID pre-registration page contains all required options and settings for pre-registering authenticators to user accounts.

User Selection:

In this section, you can select the EntraID group and the specific user within that group for authenticator pre-registration.

Once user is selected, you will see them appearing in the "Selected User" section

Administrators can manually review all authenticators associated with a user account and, if required, permanently remove them to disable their use. This functionality is particularly useful for ongoing user lifecycle and credential management.

Configuration:

In this section, administrators can manage pre-registration workflow settings, including removal of existing user authenticators, PIN reset behavior, and configuration of the Secupas PIN Delivery Service.

a. Delete Previously Registered Security Keys / Cards - If enabled, this setting will remove all existing FIDO2 authenticators registered to the user account after the new security key has been enrolled.

b. RESET AUTHENTICATOR - This setting gives admin three different authenticator reset modes:

DO NOT RESET — The administrator must provide the current device PIN. Existing credentials and services using the security key or smart card will remain unaffected.
RESET WITH RANDOM PIN — The authenticator will be fully reset and initialized with a randomly generated PIN, which will be displayed to the administrator. A backup copy of the PIN is stored in the PIN Codes tab. If the Secupas PIN Delivery Service (PDS) is enabled, the user will receive a secure PDS link to retrieve the PIN.
RESET WITH SPECIFIED PIN — The authenticator will be fully reset and initialized with an administrator-defined PIN, which will be displayed to the administrator. A backup copy of the PIN is stored in the PIN Codes tab. If the Secupas PIN Delivery Service (PDS) is enabled, the user will receive a secure PDS link to retrieve the PIN.

c. PDS Settings - These settings allow administrators to control whether the Secupas PIN Delivery Service (PDS) is enabled for the pre-registration workflow.

If the Secupas PIN Delivery Service (PDS) is enabled, the user will receive a secure PDS link to retrieve their PIN code.

The Preferred Language setting allows administrators to define the language used for the PIN retrieval email. After opening the retrieval link, users can also change the language directly within the PDS portal.

Authenticator Information:

In this section, administrators can view detailed information about the selected authenticator, including the authenticator model name, AAGUID, FIDO certification level, and vendor logo. This section also provides controls to start or cancel the pre-registration process.

Pre-registering authenticator with user account

Step 1: Select group, and account you wish to pre-register

Step 2: Insert the security key into the device, or place the NFC security key or smart card on the reader, that you wish to pre-register.

Note: The application is configured to detect only the most recently connected authenticator within the current session to prevent accidental overwrites. If the authenticator does not appear, disconnect it and reconnect it to the device or NFC reader.

Step 3: Check the setting, and ensure that they are correct.

Step 4: Start Pre-Registration - Click “Add Authenticator to User Account” and follow the on-screen instructions.

Note: During the pre-registration process, the authenticator may require physical interaction, such as unplugging and reconnecting the device (power-cycling), or performing a touch/button confirmation on the authenticator itself.

Step 5: You are done! Authenticator is pre-registered!

If the Secupas PIN Delivery Service (PDS) is enabled, the authenticator PIN will be securely delivered to the user. Administrators can also recover the PIN at any time through the PIN Codes tab.