Enforce Attestation Microsoft/Azure

[Appelg]

Ok. I guess I have had it with the SOLO keys. The problems never end. Around 1,5 years after the pledge when you finally made the key work in Windows, I now tried to add them in Microsoft/Azure.

SETUP FAILED
We detected that this particular key type has been blocked by your organization. Contact your administrator for more details

Ok.. A bit of google got me this:
The second setting is called ‘Enforce Attestation’. If you enable this setting, it will require that keys which you are using have a trusted certificate, therefore you will disable security keys which have a self-signed certificate from being used. Enforcing attestation therefore means that during the enrollment process the certificate is checked to confirm if its legitimate and therefore brings in more secure security keys.

Sooo. Well. I guess the SOLO key doesn't have a trusted certificate?

[n1am]

SoloKeys are not verified by Microsoft, at least for now.

Here you can find the correct procedure on how to become a Microsoft compatible FIDO2 key vendor.

[needs-coffee]

Yep - to further clarify for anyone else reading this - it does not affect personal Microsoft accounts, solo2 with latest firmware works with these.
This is an Azure AD organisational setting to restrict permitted FIDO keys to a pre approved list of authenticators. The solo2 does have an attestation certificate as per https://s2pki.net/ but this has not been validated by Microsoft.
The organisation could also restrict this further even if the Solo2 is on the approved microsoft list - Enforce key restrictions is a setting that only allows keys from specific manufacturers to be used on the AD.

@conorpp or @nickray any chance of this getting applied for with Microsoft?