![\"\"](\"https:\/\/lieben.nu\/liebensraum\/wp-content\/uploads\/2026\/02\/image-1-1024x667.png\")
<\/figure>\n\n\n\nWhen I read Nathan McNulty’s LinkedIn post<\/a> this morning I got a bit hyped and just HAD to get it working. He has a way to use a stored passkey to log in silently to all admin portals\/hidden api’s etc.<\/p>\n\n\n\n The missing part I wanted to solve, is to actually generate that passkey for a given global admin in the tenant.<\/p>\n\n\n\n Took a bit of messing around with how to generate the keys using a virtual authenticator, but it works! Here it is:<\/p>\n\n\n\n https:\/\/github.com\/jflieben\/assortedFunctionsV2\/blob\/main\/New-FidoKey.ps1<\/a><\/p>\n\n\n\n So basically:<\/p>\n\n\n\n I should also give an honorary mention to Fabian Bader<\/a> for the work he did to get us here!<\/p>\n\n\n\n disclaimer: don’t store this stuff where anyone can find it!<\/p>\n\n\n\n disclaimer2: you’ll have to set your fido policy to allow not force attestion or key restrictions<\/p>\n","protected":false},"excerpt":{"rendered":" So there’s this problem with lots of Microsoft API’s not allowing service principals to call them. I’ve written about this a few times in the past \ud83d\ude42 These api’s want a user. And a user has to do MFA, right? Not with this! When I read Nathan McNulty’s LinkedIn post this morning I got a … Continue reading Silent provisioning of Fido key to use for headless requests against hidden API’s<\/span> \n
![\"\"](\"https:\/\/lieben.nu\/liebensraum\/wp-content\/uploads\/2026\/02\/image.png\")
<\/figure>\n\n\n\n