[femto]

I had a similar problem when I was required to use Outlook email. It turns out that outlook does support FIDO2 hardware keys (or app) in place of MS authenticator, but it is disabled by default. The Admin has to explicitly enable it.

One then has to get though a number of roadblocks including:

* The option to log in with a FIDO key does not show up in Firefox, only Chrome (and Edge?). Bugs?

* MS only recognises keys from "Partner organisations". If you go an open source key, such as Solo, it probably won't be an MS partner and you will have to get the Admin to add AAGUID numbers for your type of key.

* A "Temporary Access Pass" needs to be issued by the Admin for first sign-in, to boot the chain of trust.

All in all it's a pain for the Admin compared to saying "Download MS Authenticator", hence it may be difficult to get an Admin to admit that the FIDO option is there.

[Symbiote]

Firefox on Mac and Linux doesn't yet support the Pin-required version of FIDO2. MS365 requires this mode.

[lousken]

This is incredibly infuriating from Mozilla and very sad to see. Again their browser shows they just cannot stay in the enterprise environment. Such a shame.

[Symbiote]

https://bugzilla.mozilla.org/show_bug.cgi?id=1530370

This is the issue tracking it, and it looks to be nearing completion.

[TheNewsIsHere]

Some of the things you mention here are organizational implementation, potentially making things more difficult to support. For example, attestation is not enabled by default. An admin enabled that, and didn’t automatically allow-list common AAGUIDs.

TAPs can be programmatically generated in batches for a roll out.