Did you know that Microsoft supports FIDO2 security keys in Microsoft Entra ID (formerly Azure Active Directory)?

Updated note (2026): Windows Virtual Desktop is now Azure Virtual Desktop (AVD), and Azure Active Directory is now Microsoft Entra ID. Screenshots retain the names shown when this article was published.

Since Azure Virtual Desktop (formerly Windows Virtual Desktop) uses Microsoft Entra ID for authentication, FIDO2 security keys can also be used to secure applications and desktops hosted on Azure Virtual Desktop.

In this post, I will demonstrate how to enable FIDO2 support in Microsoft Entra ID for AVD.

First of all, we need to enable FIDO2 support in Microsoft Entra ID. Log in to the Azure portal and then navigate to Microsoft Entra ID Authentication methods.

Under Policies blade, select FIDO2. Now under 1) Enable, click on Yes, next under 2) Target select All users or specific pilot group or individual user. In my demo, I will only target one user. Now under 3) General, Allow self-service setup, this will allow users to register their security keys

Now as the Azure part is already configured, we can log in to the Office.com portal and register our security key. Once you are logged in, click on your initials in the top right corner and select View Account

Now click on Security Info on the left-hand side, or in the middle of the screen

Now you should see currently allowed authentication methods. Click Add a method and choose Security Key from the drop-down menu

Select the correct device type you are using. For this demo I used USB Yubikey hence I selected USB Device

Ok, now it’s time to plug the key into the USB port and start the registration

Select PIN for your key

Touch your security key to finish registration

That is the key now registered with my test account and ready to use. Let us try it with Azure Virtual Desktop.

Launch Microsoft Remote Desktop client and hit subscribe. On the Microsoft signing page, click on Sign-in options. You should now see the below options, click on Sign in with Windows Hello or a security key

Now, type in the PIN that we set up earlier on for our key

Touch the key

And we are in!

The same process applies when accessing AVD via the web client.

Summary

FIDO2 security keys provide a phishing-resistant authentication option for Azure Virtual Desktop access through Microsoft Entra ID. Before using this approach in production, validate supported clients, authentication-method policy scope, Conditional Access requirements, recovery processes and service-desk support for lost or replaced keys.

The architecture takeaway is that a virtual desktop platform is only as secure as its access path: strong user authentication should be designed alongside session controls, application authorization and operational monitoring.