...
- Click Assignments to assign the policy to the security group of choice
Enable combined security information registration
The next step is to enable combined security information registration. The feature needs to be enabled from the Azure (AD) Portal.
- Sign-in to the Azure AD portal
- Browse to Azure Active Directory – User settings
- Click Manage user feature preview settings
- Select All to switch on the features for all users
- Click Save
Enable FIDO2 security keys as Authentication methode
The third step is to enable FIDO2 security keys as Authentication method in Azure Active Directory.
...
- In the Azure AD Portal browse to Azure Active Directory
- Browse to Security – Authentication methods
- Click FIDO2 Security Keys
- Set Enable to Yes
- Leave Target set to All or switch to Select users and select a security group
- Click Save
In above screen we also have the option to block Self-service setup of the security keys and a Key restrictions policy. If you want to block specific security keys or only allow specific security keys, you need the AAGuid of an security key. Those for the security keys of Yubico can be found here.