OFFPAD Pre-enrollment
The OFFPAD Pre-enrollment application enables organizations to ship OFFPADs to end users preloaded with credentials for EntraID that enables passwordless phishing resistant logins from day one.
Requirements
To use the OFFPAD Pre-enrollment application you need have the following:
- A Windows laptop with admin privileges and a NFC reader attached
- The OFFPAD Pre-enrollment application installed
- An OFFPAD+ that has been reset or has never has been used
- Access to do app registration in Entra ID to provide the correct permissions and tokens
- Access to make an Entra ID group that holds the user(s) that you want to pre-enroll
How it works
The OFFPAD Pre-enrollment application does the following:
- Reads all the users from the Entra ID group using the Microsoft Entra ID FIDO2 provisioning APIs
- For each users it ask you to tap a new (or resetted) OFFPAD+ on the attached NFC reader
- For each OFFPAD+ a random pin is set, and the OFFPAD+ is assigned to the User in Entra ID
- The OFFPAD Pre-enrollment application writes the userID, userName and PIN of the enrolled users to a file called preenroll.csv
Installing
Download and install the OFFPAD Pre-enrollment application from the Microsoft Store.
Setup
The config file, preenroll.json, and the output file, preenroll.cvs, for the OFFPAD Pre-enrollment application can be found in the C:\Users\Public\Desktop folder.
The config file is created and opened in Notepad the first time you start the application and contains the following parameters:
{
"clientId": "11111111-1111-1111-1111-111111111111",
"clientSecret": "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA",
"deleteExistingUserFIDOCredentials": "true",
"group": "FIDO Provisioning",
"logLevel": "info",
"pinLength": "4",
"removeUsersFromEnrollmentGroup": "false",
"showHelp": "false",
"tenantName": "dummyTenant",
}
Parameter: tenantName
The "tenantName" is the same as your Primary Domain.
Open the Microsoft Entra admin center and go to the Overview to find your Primary Domain.
Parameter: clientId and clientSecret
The client ID and the client secret is used by the OFFPAD Pre-enrollment application to talk to Entra ID. To get these values you first have to create a new application in the Microsoft Entra admin center. Go to Applications->App registrations and select "New registration".
Give the new application a name. The application should be single tenant.
The Client ID is the same as Application ID.
To get the client secret go to the Certificates & Secrets section in the newly created application and create click "New Client Secret".
Copy the new secret value from the newly created client secret.
Go to the API Permissions section to give the newly created application Microsoft Graph permissions.
Parameter: deleteExistingUserFIDOCredentials
If this parameter is true all existing FIDO credentials will be deleted before the new credential is added.
Parameter: group
The name of the Entra ID Group that holds the users to be enrolled.
Parameter: logLevel
The log level of the application. The default level is "info", and can be changed for troubleshooting purposes.
Parameter: pinLength
The number of digits used when setting the pin during enrollment.
Parameter: removeUsersFromEnrollmentGroup
If this parameter is set to true the users will be removed from the Entra ID Group after enrollment.
Parameter: showHelp
If this parameter is set to true the application prints help texts during startup.