So there’s this problem with lots of Microsoft API’s not allowing service principals to call them. I’ve written about this a few times in the past 🙂
These api’s want a user. And a user has to do MFA, right?
Not with this!
When I read Nathan McNulty’s LinkedIn post this morning I got a bit hyped and just HAD to get it working. He has a way to use a stored passkey to log in silently to all admin portals/hidden api’s etc.
The missing part I wanted to solve, is to actually generate that passkey for a given global admin in the tenant.
Took a bit of messing around with how to generate the keys using a virtual authenticator, but it works! Here it is:
https://github.com/jflieben/assortedFunctionsV2/blob/main/New-FidoKey.ps1
So basically:
- register app with client id/secret and UserAuthenticationMethod.ReadWrite.All
- run New-FidoKey
- use the file it outputs with Nathan’s passkey login function
I should also give an honorary mention to Fabian Bader for the work he did to get us here!
disclaimer: don’t store this stuff where anyone can find it!
disclaimer2: you’ll have to set your fido policy to allow not force attestion or key restrictions
[…] Silent provisioning of Fido key to use for headless requests against hidden API’s […]
[…] topic in the context of device-bound passkeys. Seeing the creative work from Nathan, Fabian, and Jos coming together, you might want to keep an eye on non-attested, device-bound passkeys in Entra […]
key attestation is a must – else its not actually a passkey.