starred/CIPP
1
0
Fork 0
mirror of https://github.com/KelvinTegelaar/CIPP.git synced 2026-04-25 00:06:06 +03:00
Code Issues 20 Projects Releases 5 Packages Wiki Activity

[GH-ISSUE #5189] [Feature Request]: Deploy authentication policies with approved AAGUID lists #2491

New issue
Open
opened 2026-03-02 13:52:48 +03:00 by kerem · 10 comments
kerem commented 2026-03-02 13:52:48 +03:00
Owner
Copy link

Originally created by @dszp on GitHub (Jan 12, 2026).
Original GitHub issue: https://github.com/KelvinTegelaar/CIPP/issues/5189

Please confirm:

  • I have searched existing feature requests (open and closed) and found no duplicates.
  • **me or my organization is currently an active sponsor of the product at the $99,- level.

Problem Statement

Microsoft now supports syncable Passkeys (FIDO2) and allows you to create an allowlist of AAGUIDs that define which password managers (or hardware keys) can authenticate, usually to include Microsoft Authenticator. Adding all desired AAGUIDs to the list is time consuming to do manually since there are a large number of AAGUIDs if you want to allow a lot of Yubikey models, for example (since each set of capabilities requires a new AAGUID).

Various resources are available for finding AAGUID definitions from manufacturers and password manager vendors, such as:

And others that are web-searchable. Additionally, being able to choose whether to allow attestation or not (it's required to NOT require attestation to allow syncable passkeys currently) would be useful, in addition to controlling authentication types required or disallowed by policy.

Benefits for MSPs

Being able to deploy a list of AAGUIDs that include Authenticator, Yubikey models, and for example 1Password as a password manager would be a huge benefit to being able to deploy standards quickly, along with defining attestation being required or not, and would help with allowing users using MSP approved/provided/supported password managers to save Passkeys for login and provide more options than just Authenticator for phishing-resistant MFA (just available finally in Nov. 2025 from Microsoft) would be a big win in driving better MFA adoption.

Value or Importance

Syncable passkey support has been desired for a long time and is finally here as of Nov. 2025, but it's important to centrally deploy/manage in order to make it usable, since syncable passkeys are not enabled by default on Microsoft tenants, and properly securing (requiring a known password manager, for example) syncable passkeys is an important but currently complex task that requires reading and following complex documentation and copying/pasting many AAGUIDs per tenant/policy, so it's a valuable add to add central management that exists nowhere else yet that I know of.

PowerShell Commands (Optional)

No response

Originally created by @dszp on GitHub (Jan 12, 2026). Original GitHub issue: https://github.com/KelvinTegelaar/CIPP/issues/5189 ### Please confirm: - [x] **I have searched existing feature requests** (open and closed) and found no duplicates. - [x] **me or my organization is currently an active sponsor of the product at the $99,- level. ### Problem Statement Microsoft now supports syncable Passkeys (FIDO2) and allows you to create an allowlist of AAGUIDs that define which password managers (or hardware keys) can authenticate, usually to include Microsoft Authenticator. Adding all desired AAGUIDs to the list is time consuming to do manually since there are a large number of AAGUIDs if you want to allow a lot of Yubikey models, for example (since each set of capabilities requires a new AAGUID). Various resources are available for finding AAGUID definitions from manufacturers and password manager vendors, such as: - https://github.com/passkeydeveloper/passkey-authenticator-aaguids - https://passkeydeveloper.github.io/passkey-authenticator-aaguids/explorer/ - https://aaguid.nicolasuter.ch/ And others that are web-searchable. Additionally, being able to choose whether to allow attestation or not (it's required to NOT require attestation to allow syncable passkeys currently) would be useful, in addition to controlling authentication types required or disallowed by policy. ### Benefits for MSPs Being able to deploy a list of AAGUIDs that include Authenticator, Yubikey models, and for example 1Password as a password manager would be a huge benefit to being able to deploy standards quickly, along with defining attestation being required or not, and would help with allowing users using MSP approved/provided/supported password managers to save Passkeys for login and provide more options than just Authenticator for phishing-resistant MFA (just available finally in Nov. 2025 from Microsoft) would be a big win in driving better MFA adoption. ### Value or Importance Syncable passkey support has been desired for a long time and is finally here as of Nov. 2025, but it's important to centrally deploy/manage in order to make it usable, since syncable passkeys are not enabled by default on Microsoft tenants, and properly securing (requiring a known password manager, for example) syncable passkeys is an important but currently complex task that requires reading and following complex documentation and copying/pasting many AAGUIDs per tenant/policy, so it's a valuable add to add central management that exists nowhere else yet that I know of. ### PowerShell Commands (Optional) _No response_
kerem commented 2026-03-02 13:52:48 +03:00
Author
Owner
Copy link

@github-actions[bot] commented on GitHub (Jan 22, 2026):

This issue is stale because it has been open 10 days with no activity. We will close this issue soon. If you want this feature implemented you can contribute it. See: https://docs.cipp.app/dev-documentation/contributing-to-the-code . Please notify the team if you are working on this yourself.

<!-- gh-comment-id:3782127322 --> @github-actions[bot] commented on GitHub (Jan 22, 2026): This issue is stale because it has been open 10 days with no activity. We will close this issue soon. If you want this feature implemented you can contribute it. See: https://docs.cipp.app/dev-documentation/contributing-to-the-code . Please notify the team if you are working on this yourself.
kerem commented 2026-03-02 13:52:49 +03:00
Author
Owner
Copy link

@TargetCrafter commented on GitHub (Jan 26, 2026):

I would love to see this feature implemented too!

<!-- gh-comment-id:3798272269 --> @TargetCrafter commented on GitHub (Jan 26, 2026): I would love to see this feature implemented too!
kerem commented 2026-03-02 13:52:49 +03:00
Author
Owner
Copy link

@Nathanymous commented on GitHub (Jan 26, 2026):

This would be awesome and very helpful if implemented!

<!-- gh-comment-id:3798272990 --> @Nathanymous commented on GitHub (Jan 26, 2026): This would be awesome and very helpful if implemented!
kerem commented 2026-03-02 13:52:49 +03:00
Author
Owner
Copy link

@github-actions[bot] commented on GitHub (Feb 5, 2026):

This issue is stale because it has been open 10 days with no activity. We will close this issue soon. If you want this feature implemented you can contribute it. See: https://docs.cipp.app/dev-documentation/contributing-to-the-code . Please notify the team if you are working on this yourself.

<!-- gh-comment-id:3850707796 --> @github-actions[bot] commented on GitHub (Feb 5, 2026): This issue is stale because it has been open 10 days with no activity. We will close this issue soon. If you want this feature implemented you can contribute it. See: https://docs.cipp.app/dev-documentation/contributing-to-the-code . Please notify the team if you are working on this yourself.
kerem commented 2026-03-02 13:52:49 +03:00
Author
Owner
Copy link

@swissbuechi commented on GitHub (Feb 5, 2026):

Please also add an option to configure the other options available like Enforce attestation while you're at it.
This needs to be disabled if you want to allow synced Passkeys via Bitwarden etc.

Thank you guys <3

<!-- gh-comment-id:3853971229 --> @swissbuechi commented on GitHub (Feb 5, 2026): Please also add an option to configure the other options available like `Enforce attestation` while you're at it. This needs to be disabled if you want to allow synced Passkeys via Bitwarden etc. Thank you guys <3
kerem commented 2026-03-02 13:52:49 +03:00
Author
Owner
Copy link

@github-actions[bot] commented on GitHub (Feb 15, 2026):

This issue is stale because it has been open 10 days with no activity. We will close this issue soon. If you want this feature implemented you can contribute it. See: https://docs.cipp.app/dev-documentation/contributing-to-the-code . Please notify the team if you are working on this yourself.

<!-- gh-comment-id:3903047009 --> @github-actions[bot] commented on GitHub (Feb 15, 2026): This issue is stale because it has been open 10 days with no activity. We will close this issue soon. If you want this feature implemented you can contribute it. See: https://docs.cipp.app/dev-documentation/contributing-to-the-code . Please notify the team if you are working on this yourself.
kerem commented 2026-03-02 13:52:49 +03:00
Author
Owner
Copy link

@swissbuechi commented on GitHub (Feb 15, 2026):

Not stale

<!-- gh-comment-id:3903830418 --> @swissbuechi commented on GitHub (Feb 15, 2026): Not stale
kerem commented 2026-03-02 13:52:49 +03:00
Author
Owner
Copy link

@KelvinTegelaar commented on GitHub (Feb 15, 2026):

Not stale

Please do not bump feature requests, if it times out, you can resubmit after 30 days.

<!-- gh-comment-id:3904151777 --> @KelvinTegelaar commented on GitHub (Feb 15, 2026): > Not stale Please do not bump feature requests, if it times out, you can resubmit after 30 days.
kerem commented 2026-03-02 13:52:49 +03:00
Author
Owner
Copy link

@mruiterhype commented on GitHub (Feb 19, 2026):

Would love to see this implemented, especially with Microsoft starting to auto‑enable passkey profiles in March: https://lazyadmin.nl/office-365/auto-enabled-passkey-profiles-in-march-2026/

<!-- gh-comment-id:3926512446 --> @mruiterhype commented on GitHub (Feb 19, 2026): Would love to see this implemented, especially with Microsoft starting to auto‑enable passkey profiles in March: https://lazyadmin.nl/office-365/auto-enabled-passkey-profiles-in-march-2026/
kerem commented 2026-03-02 13:52:49 +03:00
Author
Owner
Copy link

@github-actions[bot] commented on GitHub (Mar 1, 2026):

This issue is stale because it has been open 10 days with no activity. We will close this issue soon. If you want this feature implemented you can contribute it. See: https://docs.cipp.app/dev-documentation/contributing-to-the-code . Please notify the team if you are working on this yourself.

<!-- gh-comment-id:3978877754 --> @github-actions[bot] commented on GitHub (Mar 1, 2026): This issue is stale because it has been open 10 days with no activity. We will close this issue soon. If you want this feature implemented you can contribute it. See: https://docs.cipp.app/dev-documentation/contributing-to-the-code . Please notify the team if you are working on this yourself.
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
main
docs
dev
dependabot/npm_and_yarn/dev/uiw/react-json-view-2.0.0-alpha.42
dependabot/npm_and_yarn/dev/tanstack/react-query-persist-client-5.96.2
dependabot/npm_and_yarn/dev/mui-tiptap-1.30.0
dependabot/npm_and_yarn/dev/tanstack/react-query-devtools-5.96.2
dependabot/npm_and_yarn/dev/recharts-3.8.1
dependabot/github_actions/dev/actions/setup-node-6.4.0
copilot/add-alert-for-report-only-ca
release/beta
release/nightly
docs-maintenance
v10.4.0
v10.3.0
v10.2.0
v10.1.0
v10.0.0
v8.8.0
v8.7.0
v8.6.0
v8.5.0
v8.4.0
v8.3.0
v8.2.0
v8.1.0
v8.0.0
v7.5.0
v7.4.0
v7.3.0
v7.2.0
v7.1.0
v7.0.1
v6.4.0
v6.3.0
v6.2.0
v6.1.0
v6.0.0
v5.9.0
v5.8.5
v5.8.0
v5.7.0
v5.6.0
v5.5.0
v5.4.0
v5.3.0
v5.2.0
v5.1.0
v5.0.0
v4.9.0
v4.8.0
v4.7.0
v.4.6.0
v4.5.0
v4.4.0
v4.3.0
v4.2.0
v4.1.0
v4.0.0
v3.8.0
v3.7.0
v3.6.0
v3.5.0
v3.4.0
v3.3.0
v3.2.0
v3.1.0
v3.0.0
v2.20.0
v2.19.0
v2.18.0
v2.17.0
v2.16.0
v2.15.0
v2.13.0
v2.12.0
v2.11.2
v2.1.11.0
v.2.10.0
v2.9.0
v2.8.0
v2.7.0
v2.6.0
v2.5.5
v2.5.0
v2.4.0
v.2.3.0
v2.2.0
v2.1.2
v2.1.1
v2.1.0
v2.0.1
2.0.0
v1.5.1
v1.5.0
v1.4.3
v1.4.2
v1.4.0
v1.3.0
v1.2.1
v1.2.0
1.1.0
release
Labels
Clear labels   
API

   
Feature

   
NotABug

   
NotABug

   
Planned

   
Sponsor Priority

   
Sponsor Priority

   
bug

   
documentation

   
duplicate

   
enhancement

   
needs more info

   
no-activity

   
no-priority

   
not-assigned

   
pull-request

Mirrored from GitHub Pull Request

  
react-conversion

   
react-conversion

   
roadmap

   
security

   
stale

   
unconfirmed-by-user

   
unconfirmed-by-user

   
wontfix
No labels
API
Feature
NotABug
NotABug
Planned
Sponsor Priority
Sponsor Priority
bug
documentation
duplicate
enhancement
needs more info
no-activity
no-priority
not-assigned
pull-request
react-conversion
react-conversion
roadmap
security
stale
unconfirmed-by-user
unconfirmed-by-user
wontfix
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
starred/CIPP#2491
No description provided.