@Thomas_Live and @samilamppu quietly built one of the most useful open projects for Entra ID defenders. The Entra ID Attack & Defense Playbook It’s free, community-driven, and packed with real detection logic and KQL queries. 🧵👇

So who else has seen this 'Enforce attestation' setting and didn't really understand what it does? Well you can count me as one of the clueless until today. So I had to create this visual so I won't forget it the next time. (Bookmark this!)👇 What is Passkey Attestation? ❓ Passkey attestation is a verification process that ensures: 🎯 The passkey was created by a legitimate, trusted authenticator ✅ 🎯 The authenticator meets security and compliance requirements 📋 🎯 The passkey is hardware-backed and meets organizational security policies 🏢 🔑 For FIDO2 Security Keys: → Microsoft relies on the FIDO Alliance Metadata Service (MDS) to validate security keys → During registration, security keys must provide a "packed" attestation statement as defined by the FIDO standard → The attestation certificate must chain back to roots in the FIDO Alliance MDS → Each security key has an Authenticator Attestation GUID (AAGUID) - a 128-bit identifier indicating the key type and model 📱For Microsoft Authenticator: → 🍎 iOS: Uses the iOS App Attest service to verify the legitimacy of the Authenticator app. → 🤖 Android: Uses two methods: → Play Integrity API to verify app legitimacy. → Android key attestation to verify hardware backing. 🎛️ Configuration Options Administrators can configure attestation enforcement in the Passkey (FIDO2) authentication method policy: 👍 Enforce attestation = Yes : Only allows registration of attested passkeys from verified vendors/apps. 👎 Enforce attestation = No : Allows any passkey but still collects attestation data. Requirements for Vendor Compliance ☑️ ✅ For FIDO2 security keys to pass attestation when enforcement is enabled: ✅ FIDO2 certification at any level 🏅 ✅ Metadata published to FIDO Alliance MDS 📖 ✅ Support for FIDO 2.0 or higher ⬆️ ✅ User verification capability (biometrics or PIN) 👆 ✅ Resident keys (discoverable credentials) 🔎 ✅ HMAC secret or PRF extension support 🔐 🏆 Benefits 💜 Security Assurance: Ensures only legitimate, hardware-backed passkeys are registered 🔰 💜 Vendor Verification: Validates that passkeys come from trusted manufacturers/providers 🤝 💜 Compliance: Helps organizations meet security requirements by blocking potentially compromised authenticators 📋 💜 Hardware Backing: Ensures passkeys are stored in secure hardware elements 🤔 Limitations and Considerations → ☁️ Attestation relies on external services (Apple, Google) which can experience outages → ⏳ There may be up to a 4-week delay for new security keys to be recognized after appearing in FIDO Alliance MDS → 🔄 Heavy service usage can cause registration failures requiring retry attempts To learn more see: → Entra ID attestation vendors - learn.microsoft.com/en-us/en… → Enable passkeys in Authenticator - learn.microsoft.com/en-us/en… If you found this useful please, bookmark, like, and retweet 🙏 Follow me for more tips like this.