Initiate the Device Authorization Grant Flow Once the user has signed in, the device (or PowerShell window) can get the needed access tokens and refresh tokens. The sign in flow is initiated on the device, but the user needs to visit a web page (on any device with a browser that hopefully supports WebAuthN) to complete the sign in. In this case, we can view PowerShell as a “device”. The Device authorization grant flow is usually used when you need to sign in on “input-constrained devices”, such as IoT devices and printers. Use Device Authorization Grant Flow to login. This option works with FIDO2, but a web-based shell has its limitations. Use Cloud Shell, where you can run PowerShell directly in your browser: Wait until each PowerShell Module you need starts supporting its own implementation of modern authentication to Azure AD. Wait until PowerShell moves from ADAL to MSAL, and sign in prompts are rendered by a modern browser that supports WebAuthN.That login prompt is actually rendered using Internet Explorer, and IE will likely never have support for WebAuthN, the protocol that FIDO2 logon requires. This is because PowerShell still uses the older Active Directory Authentication Library ( ADAL) when prompting for Azure AD credentials. If you are using a FIDO2 Security Key, such as a YubiKey, you may have run into the issue that you cannot use it to authenticate with your Azure AD account using PowerShell:Īs you can see, the needed Sign in with a security key option is missing here. Using FIDO2 security keys with PowerShell