How to Fix: Require FIDO2 Security Keys for Administrators
Step-by-step guide to implement require fido2 security keys for administrators in your Microsoft 365 environment.
Free baseline scan · No credit card · 5 minute setup
30-60 minutes
Estimated Time
4
Steps
critical
Severity
Maximum Security
Baseline Level
Why This Matters
Hardware security keys provide the highest authentication assurance. Unlike software-based MFA, keys cannot be phished, cloned, or remotely compromised. Level 3 mandates this protection for all admin access.
Prerequisites
- 1Global Administrator or appropriate admin role in Microsoft Entra ID
- 2Access to Microsoft Entra admin center (entra.microsoft.com)
- 3Microsoft Entra ID P2 license
- 4Privileged Role Administrator role
Expected Configuration
- All users with privileged roles have registered FIDO2 security keys
- Each admin has at least 2 keys registered (primary + backup)
- PIM activation requires FIDO2 authentication
Remediation Steps
Review Current State
Assess your current privileged access configuration in Entra ID.
- •Navigate to Microsoft Entra admin center
- •Go to Identity > Roles and administrators
- •Review current role assignments
Plan Changes
Determine what changes need to be made to meet the expected configuration.
- •Identify users with excessive privileges
- •Document required role assignments
- •Plan implementation timeline
Implement Configuration
Apply the necessary changes to your Entra ID environment.
- •Configure PIM if applicable
- •Update role assignments
- •Set appropriate access reviews
Verify and Test
Confirm the changes are working as expected.
- •Run a TrueConfig scan to verify compliance
- •Test user access with affected accounts
- •Document the changes made
Related Resources
Automate Your Security Configuration
TrueConfig scans your Microsoft 365 environment on a schedule you control and, with safety gates, can fix configuration drift automatically. Start your free trial today.
Start Free Trial