This repository presents a Python script (sk-entra-id.py) that facilitates configuration of a YubiKey as well as its assignment to a user in Microsoft Entra ID.
The script is based on a Yubico Proof-of-Concept found here and performs the following configuration tasks:
| Script Feature | Explanation | Comment |
|---|---|---|
| User gestures | The script will prompt for necessary interactions (remove, insert, touch). | |
| Reset YubiKey | The YubiKey is factory reset prior to configuration. | |
| Set random PIN | A random non-trivial PIN* is set on the YubiKey. | Configurable |
| Enroll passkey | A FIDO2 credential is created on-behalf-of the user. | |
| Set minimum PIN length | Any new PIN must comply with length requirement. | FW 5.7 or later |
| Force PIN change | The configured PIN must be changed by the end-user. | FW 5.7 or later |
| Restrict NFC | NFC access to the YubiKey is limited until first use. | FW 5.7 or later |
| Prompt next user | On successful configuration the script will prompt to continue. | |
| Save to file | All relevant configuration items are saved to a JSON output file. |
*PIN length is set to 4. If you are enrolling Enterprise Edition Security Keys or if you wish to enforce longer PINs, you must adjust this value.
# Set variable to control PIN length
pin_length = 4The script provided herein is made available on an "as-is" basis, without any warranties or representations, whether express, implied, or statutory, including but not limited to implied warranties of merchantability, fitness for a particular purpose, or non-infringement.
The user acknowledges that, as of the date of publication (H2 2024), the features upon which this script relies are in a Preview phase as provided by Microsoft. As such, these features are subject to change, modification, or discontinuation at any time without notice and may be unsupported. The user assumes all risks associated with the use of the script and the underlying features. The provider of this script disclaims any liability for damages, losses, or other claims arising from or in connection with the use or reliance on this script.
To install dependencies and configure your Entra ID tenant please follow instructions here.
To run the script, simply execute command: python sk-entra-id.py
The script will output a file on working directory called output.json.
Here is an example:
[
[
{
"Name": "Alice Smith",
"UPN": "[email protected]",
"Model": "YubiKey 5 NFC",
"Serial number": 15898933,
"PIN": "5144",
"PIN change required": false
"Secure Transport Mode": false
}
]In Microsoft Entra ID the registered security key will appear with it's associated Serial Number:
You can help by getting involved in the project, or by donating (any amount!).
Donations will support costs such as domain registration and code signing (planned).
- 2024.11.30
v1.4 - 2024.08.17
v1.3