Microsoft Entra Passkeys integration
This section provides an overview of the Microsoft Entra Passkeys integration available. It includes steps for configuring the Microsoft Entra connector, passkey registration, and policy management.
Register Microsoft Entra Application
The Veridium Manager Entra Connector requires a registered Microsoft Entra application to call Microsoft Graph APIs securely.
Log in to the Microsoft Entra admin center.
Navigate to:
Applications > App registrations > + New registration
Configure the application:
Name:
Veridium Entra ConnectorSupported account types: Accounts in this organizational directory only
Redirect URI: (Optional – leave blank for service-to-service communication)
Click Register.
After registration, copy the Application ID (clientId) and Directory ID (tenantId). These are required for Veridium Manager configuration.
Add API Permissions for Passkey Management
To allow Veridium to manage passkeys through the Microsoft Graph API, grant the appropriate permissions.
In the app registration, go to API permissions > + Add a permission.
Choose:
Microsoft Graph
Application permissions
Add the following permission:
UserAuthMethod-Passkey.ReadWrite.All
Click Add permissions.
Select Grant admin consent for [Tenant Name] to authorize the permission tenant-wide.
UserAuthMethod-Passkey.ReadWrite.All premission allows Veridium to create, read, update, and delete passkey authentication methods for users in the organization.
Configure Microsoft Entra connector
This section of the Veridium Manager allows you to configure integration with Microsoft Entra ID using Microsoft Graph API. It enables secure communication between the Veridium platform and Microsoft services for managing authentication-related tasks.
Field | Description |
|---|---|
Enabled | Toggle to enable or disable Microsoft Graph integration. |
HTTP Debug Enabled | Optional toggle for verbose HTTP request logging (for troubleshooting). |
Client ID* | Application (client) ID from your Entra app registration. |
Tenant ID* | Directory (tenant) ID from your Entra app registration. |
Client Secret | Secret generated under Certificates & secrets in the Entra app. Used for client authentication unless a certificate is configured. |
Client Certificate | Upload a certificate to use for secure, certificate-based authentication. Recommended for production. |
FIDO2 Creation Options Challenge Timeout (minutes) | Time limit for FIDO2 registration challenge validity. Align this with your security policy. |
Available Actions
Validate Certificate: Verifies the uploaded client certificate before you save the configuration.
Test Connection: Sends a test request to Microsoft Graph to confirm the settings are working properly.
In production environments, it is strongly recommended to use certificate-based authentication instead of client secrets. Certificates provide enhanced security and key management.
Enable enrollment policy
Once the configuration of Microsoft Entra integration is completed, the Entra Passkey policy may be enabled for the users.
Navigate to Veridium Manager / Orchestrator
From the left panel select Policy
Edit the targeted Policy
Set Entra Passkey to:
OPTIONAL — users can enroll passkeys optionally
TRUE — passkey enrollment is mandatory
Enabling Entra Passkey for users not managed in Microsoft Entra, or without a valid connector configuration, will cause enrollment errors in the Veridium Mobile Application.
If the policy is set to TRUE (mandatory), affected users will be unable to complete enrollment.