Naveenommi-MSFT
commented
2 years ago @MathematicaKen Thanks for your feedback! We will investigate and update as appropriate.
Closed MathematicaKen closed 1 year ago
Naveenommi-MSFT
commented
2 years ago @MathematicaKen Thanks for your feedback! We will investigate and update as appropriate.
ManoharLakkoju-MSFT
commented
2 years ago Hi @MathematicaKen could you please look into below comments
Key Restriction Policy Enforce key restrictions should be set to Yes only if your organization wants to only allow or disallow certain FIDO security keys, which are identified by their AAGuids. You can work with your security key provider to determine the AAGuids of their devices. If the key is already registered, AAGUID can also be found by viewing the authentication method details of the key per user.
MathematicaKen
commented
2 years ago The Key restriction policy portion makes sense. The setting for "Restrict specific Keys" says "Allow" or "Block" is difficult to interpret. Myself and others have found this amendment explanation more beneficial: "Restrict specific keys: Select Block to create a key restriction policy that will blocklist the specified AAGUIDs and select Allow to create a key restriction policy that will Allowlist the specified AAGUIDs"
ManoharLakkoju-MSFT
commented
2 years ago @Justinha Can you please check and add your comments on this doc update request as applicable.
Justinha
commented
1 year ago sorry for delay and thanks for raising this. I created an internal work item for SMEs to review and update the topic as needed. #please-close
Restrict Specific keys toggle not sufficiently explained: The wording for this setting is not clear that this restriction is creating an AllowList or a Blocklist based on the entered AAGUID entered. Our initial reading of the docs made us think that setting block would prohibit everything except the AAGUID in the list.
Document Details
⚠ Do not edit this section. It is required for learn.microsoft.com ➟ GitHub issue linking.