Some of the users at GBPO use YubiKeys instead of the HYPR app on their phones. In order for these to work, they are registered as PassKeys in Entra ID. These users do not authenticate via HYPR, the auth directly against Entra ID.
For this HYPR bypass to occur, user need to be a memeber of this AD group: "PILOT - PTA & SSO".
IMPORTANT: HYPR web auth will stop working for anyone in the group, so only add users with this speific use case. i.e. GBPO user who use YubiKeys.
In order for GBPO users to initially enrol their YubiKey in Entra ID, they need to be able to access https://mysignins.microsoft.com/security-info form their local device. However, there are two issues with this:
- They'll need to enter their password
- Access to this site is block from non-Maddocks devices
Therefore, if a user ever needs to enrol a new YubiKey or re-enrol an existing one, please follow the below process:
- Ensure they are a memeber of the AD Group: "PILOT - PTA & SSO"
- Disable "Smart card is requried for interactive logon" on their account.
- Set a new complex password on their account.
- Add the user to the Entra ID Group: "TEMP GROUP: Passkey Setup".
- Provide the new password to GBPO IT (Ruan or Kenneth), and advise them they can not assist the user with enroling the YubiKey (they know what to do).
Once GBPO IT has confirmed the enrolment is compelte:
- Remove the user from the Entra ID group: "TEMP GROUP: Passkey Setup"
- Re-enable "Smart card is requried for interactive logon" on their account.