Getting MS O365 apps to work with hardware key

[robinschwab]

We have set the permissions in the Office 365 tenant so users must provide a hardware key (Trustkey, Yubikey, Neowave) to log in.

I read and understood that GrapheneOS is FIDO2 compliant but most apps implement it through Google Play Services. I have the sandboxed Google installed.

When I try to log in to MS apps such as Teams or Powerpoint I get an message «checking your identity» after entering the password but no request to provide a token. When I provide them nevertheless this message reloads but no login.

Did anybody get this to work? Is ist supposed to work?

[flawedworld]

Google Play Services must be installed and it must have the Files permission.

[robinschwab]

That is not enough for me. It does not work.

• In the apps
  • Yubikey
    • presented through USB: Popup asks me wether I want to open Yubikey Authenticator. Select cancel then nothing happens, no prompt for PIN
    • presented through NFC: Popup asks wether I want to complete the action with Vanadium or Yubico authenticator. Either choice does not lead to an authentication in the MS app
  • Trustkey: I hear a sound in the background opens a notification that an external keyboard is connected. But other than that nothing happens.
• In Vanadium
  • Yubikey
    • presented through USB: Same popup as above, same progress bar as in the app but no login
    • presented through NFC: Popup asks if I want to continue with Vanadium. When I select yes Vanadium opens a new tab with the yubico website. No login
  • Trustkey: token is recognised as keyboard, progress bar but no login
    • I see the progress bar of checking the identity. No error message no prompt for PIN

[flawedworld]

Vanadium will 100% not work atm, that's a known bug. But interesting to see that it's not working on O365. Could you please provide logs or alternatively you can wait until our next release which has a workaround for some bugs present in Google Play Services regarding Android 12 and newer. That will probably come out ~Monday.

[robinschwab]

I sent you the logs by email. I used the NFC interface since the USB was already taken by the Debug Bridge.

[robinschwab]

The problem persists with yesterday's update.

[flawedworld]

Please ensure that in your Azure Active Directory that Google SafetyNet is not being enforced for Android endpoints.

[flawedworld]

You should also try giving the phone permission to Google Play Services if you continue to have issues following that.

[robinschwab]

Can you explain the first point? In Azure the only safetynet is an app from Predictive Solutions Corporation to avoid workplace injuries. I do not have this enabled. Also my new phone is not a managed device in AD nor was my old phone running a stock manufacturer branded android.

I think I just need a piece of code that pops up a field to enter the token's PIN when the token is plugged in/tapped.

BTW: When I give Goople Play Services Files Permissions I the only choice is to give it "media" files permission. I doubt that access to my pictures will help accessing the hardware tokens.

[thestinger]

Play servers requires that permission for the FIDO service even though it shouldn't actually be required. If you choose not to grant what's needed, it won't work.

[robinschwab]

I got that. What I tied to say is that if Play Services needed permissions on files other than media it wouldn't have worked because I had no choice to give that permission.

But it looks like I was wrong on the assumption it worked on stock Android. When I try now I have the same behaviour on two other phones running normal Android.

It's frustrating to see how small the support for FIDO2 is so many years after it's invention and with so many threats around.

[flawedworld]

Can you explain the first point? In Azure the only safetynet is an app from Predictive Solutions Corporation to avoid workplace injuries. I do not have this enabled. Also my new phone is not a managed device in AD nor was my old phone running a stock manufacturer branded android.

https://docs.microsoft.com/en-us/mem/intune/protect/compliance-policy-create-android#:~:text=SafetyNet%20device%20attestation

When using GrapheneOS endpoints, regardless of if the device is being used in a BYOD or managed device deployment, Google SafetyNet must be either off or only on "check basic Integrity".

[robinschwab]

Thanks for the hint. I don't have Intune services thus I can't create those policies. And I am not willing to pay ~10$/month per user additionally just to be able to log in to Microsoft with a hardware token.

I think there must be another way because logging in from any Android is no problem as long as you only use a password.

[robinschwab]

It seems the Microsoft apps do not support FIDO2 U2F so this is not an issue of Graphene OS but of Microsoft. I should have tested more thorougly on a "normal" phone first.

[FID02]

You can now sign into M365 websites (outlook.office.com, microsoft365.com, etc.) in Vanadium using a hardware key. Your organization must allow this. Microsoft enforces the storing of resident keys on the FIDO2 hardware key. Passkeys, in other words. It now fully works in Vanadium with Sandboxed Google Play.

The apps require Microsoft Authenticator, and a certificate must be stored on the hardware key in addition to the resident key. The certificate is not required for web. Not all hardware keys support this. Therefore I have been unable to test the apps so far.