OFFPAD Pre-enrollment
The OFFPAD Pre-enrollment Application enables organizations to ship OFFPADs to end users preloaded with credentials for EntraID that enables passwordless phishing resistan logins from day one.
Requirements
To use the OFFPAD Pre-enrollment Application you need have the following:
- A Windows laptop with admin privileges and a NFC reader attached.
- The OFFPAD Pre-enrollment Application installed
- An OFFPAD+ that has been reset or has never has been used
- Access to do app registration in Entra ID to provide the correct permissions and tokens.
- Access to make an Entra ID group that holds the user(s) that you want to pre-enroll.
How it works
The OFFPAD Pre-enrollment Application does the following:
- Reads all the users from the Entra ID group using the Microsoft Entra ID FIDO2 provisioning APIs
- For each users it ask you to tap a new (or resetted) OFFPAD+ on the attached NFC reader
- For each OFFPAD+ a random pin is set on the OFFPAD+ and the OFFPAD+ is assigned to the User in Entra ID
- The OFFPAD Pre-enrollment Application writes the userID, userName and PIN of the enrolled users to a file called preenroll.csv.
Installing
Download and install the OFFPAD Pre-enrollment Application from the Microsoft Store.
Setup
The config file, preenroll.json, and the output file, preenroll.cvs, for the OFFPAD Pre-enrollment Application can be found in the C:\Users\Public\Desktop folder.
The config file is created and opened in Notepad the first time you start the application.
The config file contains the following parameters.
{
"clientId": "11111111-1111-1111-1111-111111111111",
"clientSecret": "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA",
"deleteExistingUserFIDOCredentials": "true",
"group": "FIDO Provisioning",
"logLevel": "info",
"pinLength": "4",
"removeUsersFromEnrollmentGroup": "false",
"showHelp": "false",
"tenantName": "dummyTenant",
}
Parameter: tenantName
The "tenantName" is the same as your Primary Domain.
Open the Microsoft Entra admin center and go to the Overview to find your Primary Domain.
Paramenter: clientId and clientSecret
The client ID and the client secret is used by the OFFPAD Pre-enrollment Application to talk to Entra ID. To get these values you first have to create a new application in the Microsoft Entra admin center. Go to Applications->App registrations and select "New registration".
Give the new application a name. The application should be single tenant.
The Client ID is the same as Application ID
To get the Client Secret go to the Certificates & Secrets section in the newly created application and create click "New Client Secret".
Copy the new secret value from the newly created client secret.
Parameter: deleteExistingUserFIDOCredentials
If this parameter is true all existing FIDO credentials are deleted before the new credential is added.
Parameter: group
The name of the Entra ID Group that holds the users to be enrolled.
Parameter: logLevel
The loglevel of the application. Default level of info is recommended, can be changed for troubleshooting purposes.
Parameter: pinLength
The number of digit used when setting the pin during pre-enrollment
Parameter: removeUsersFromEnrollmentGroup
If this parameter is set to true the users will be removed from the Entra ID Group after enrollment.
Parameter: showHelp
If this parameter is set to true the application prints help texts during startup