PowerShell script to add a FIDO2 security key to an Entra account.

entra-add-fido2-key.ps1

<#
.SYNOPSIS
    Register FIDO2 on behalf of another user
.DESCRIPTION
    This script registers a FIDO2 key on behalf of another user. The script requires the admin to have a FIDO2 key and the user's UPN.
    The script will connect to Microsoft Graph and register the FIDO2 key on behalf of the user.
    The script will also register the FIDO2 key in Entra ID.
#>

param (
    [string]$TenantId = "xyz.onmicrosoft.com", # Your tenant ID
    [string]$DisplayName = "YubiKey PowerShell", # Display name of the FIDO2 key
    [string]$UPN = "[email protected]"  # UPN of the user you want to register the FIDO2 key for
)

# Function to ensure a module is installed
function Ensure-Module {
    param (
        [string]$ModuleName
    )
    if (-not (Get-Module -Name $ModuleName -ListAvailable)) {
        Install-Module -Name $ModuleName -Scope CurrentUser -Force -ErrorAction Stop
    }
}

# Function to connect to Microsoft Graph
function Connect-ToMicrosoftGraph {
    param (
        [string]$TenantId
    )
    try {
        Connect-MgGraph -Scopes "UserAuthenticationMethod.ReadWrite.All" -TenantId $TenantId -ErrorAction Stop
    } catch {
        Write-Error "Failed to connect to Microsoft Graph: $_"
        exit 1
    }
}

# Function to register the passkey on the FIDO2 key
function Register-Passkey {
    param (
        [string]$UPN,
        [string]$DisplayName
    )
    try {
        $FIDO2Options = Get-PasskeyRegistrationOptions -UserId $UPN -ErrorAction Stop
        $FIDO2 = New-Passkey -Options $FIDO2Options -DisplayName $DisplayName -ErrorAction Stop
        return $FIDO2
    } catch {
        Write-Error "Failed to register the passkey: $_"
        exit 1
    }
}

# Function to register the FIDO2 key in Entra ID
function Register-FIDO2KeyInEntraID {
    param (
        [string]$UPN,
        [string]$DisplayName,
        [PSCustomObject]$FIDO2
    )
    try {
        $URI = "https://graph.microsoft.com/beta/users/$UPN/authentication/fido2Methods"
        $FIDO2JSON = $FIDO2 | ConvertFrom-Json 
        $AttestationObject = $FIDO2JSON.publicKeyCredential.response.attestationObject
        $ClientDataJson = $FIDO2JSON.publicKeyCredential.response.clientDataJSON
        $Id = $FIDO2JSON.publicKeyCredential.id
        $Body = @{
            displayName = $DisplayName
            publicKeyCredential = @{
                id = $Id
                response = @{
                    clientDataJSON = $ClientDataJson
                    attestationObject = $AttestationObject
                }
            }
        }

        Invoke-MgGraphRequest -Method 'POST' `
            -Body $Body `
            -OutputType 'Json' `
            -ContentType 'application/json' `
            -Uri $URI
    } catch {
        Write-Error "Failed to register the FIDO2 key in Entra ID: $_"
        exit 1
    }
}

# Function to verify the registration
function Verify-Registration {
    param (
        [string]$UPN,
        [string]$DisplayName
    )
    try {
        $RegisteredKey = Get-MgBetaUserAuthenticationFido2Method -UserId $UPN | Where-Object { $_.DisplayName -eq $DisplayName }
        if ($RegisteredKey) {
            Write-Host "Passkey registered successfully for user $UPN."
        } else {
            Write-Error "Failed to verify the registration of the passkey."
        }
    } catch {
        Write-Error "Failed to verify the registration: $_"
        exit 1
    }
}

# Main script execution
Ensure-Module -ModuleName "DSInternals.Passkeys"
Ensure-Module -ModuleName "Microsoft.Graph.Beta"
Connect-ToMicrosoftGraph -TenantId $TenantId
$FIDO2 = Register-Passkey -UPN $UPN -DisplayName $DisplayName
Register-FIDO2KeyInEntraID -UPN $UPN -DisplayName $DisplayName -FIDO2 $FIDO2
Verify-Registration -UPN $UPN -DisplayName $DisplayName