Skip to main content

OFFPAD Pre-enrollment

The OFFPAD Pre-enrollment Application enables organizations to ship OFFPADs to end users preloaded with credentials for EntraID that enables passwordless phishing resistan logins from day one.

Requirements

To use the OFFPAD Pre-enrollment Application you need have the following:

  • A Windows laptop with admin privileges and a NFC reader attached.
  • The OFFPAD Pre-enrollment Application installed
  • An OFFPAD+ that has been reset or has never has been used
  • Access to do app registration in Entra ID to provide the correct permissions and tokens.
  • Access to make an Entra ID group that holds the user(s) that you want to pre-enroll.

How it works

The OFFPAD Pre-enrollment Application does the following:

  1. Reads all the users from the Entra ID group using the Microsoft Entra ID FIDO2 provisioning APIs
  2. For each users it ask you to tap a new (or resetted) OFFPAD+ on the attached NFC reader
  3. For each OFFPAD+ a random pin is set on the OFFPAD+ and the OFFPAD+ is assigned to the User in Entra ID
  4. The OFFPAD Pre-enrollment Application writes the userID, userName and PIN of the enrolled users to a file called preenroll.csv.

Installing

Download and install the OFFPAD Pre-enrollment Application from the Microsoft Store.

Setup

The config file, preenroll.json, and the output file, preenroll.cvs, for the OFFPAD Pre-enrollment Application can be found in the C:\Users\Public\Desktop folder.
The config file is created and opened in Notepad the first time you start the application.

The config file contains the following parameters.

{
"clientId": "11111111-1111-1111-1111-111111111111",
"clientSecret": "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA",
"deleteExistingUserFIDOCredentials": "true",
"group": "FIDO Provisioning",
"logLevel": "info",
"pinLength": "4",
"removeUsersFromEnrollmentGroup": "false",
"showHelp": "false",
"tenantName": "dummyTenant",
}

Parameter: tenantName

The "tenantName" is the same as your Primary Domain.

Open the Microsoft Entra admin center and go to the Overview to find your Primary Domain.

Tenant Name

Paramenter: clientId and clientSecret

The client ID and the client secret is used by the OFFPAD Pre-enrollment Application to talk to Entra ID. To get these values you first have to create a new application in the Microsoft Entra admin center. Go to Applications->App registrations and select "New registration".

New Application

Give the new application a name. The application should be single tenant.

Name Application

The Client ID is the same as Application ID

Application Done

To get the Client Secret go to the Certificates & Secrets section in the newly created application and create click "New Client Secret".

Create a new secret

Copy the new secret value from the newly created client secret.

Copy secret secret value

Parameter: deleteExistingUserFIDOCredentials

If this parameter is true all existing FIDO credentials are deleted before the new credential is added.

Parameter: group

The name of the Entra ID Group that holds the users to be enrolled.

Parameter: logLevel

The loglevel of the application. Default level of info is recommended, can be changed for troubleshooting purposes.

Parameter: pinLength

The number of digit used when setting the pin during pre-enrollment

Parameter: removeUsersFromEnrollmentGroup

If this parameter is set to true the users will be removed from the Entra ID Group after enrollment.

Parameter: showHelp

If this parameter is set to true the application prints help texts during startup