OFFPAD Pre-enrollment
The OFFPAD Pre-enrollment application enables organizations to ship OFFPADs to end users preloaded with credentials for EntraID that enables passwordless phishing resistant logins from day one.
Requirements
To use the OFFPAD Pre-enrollment application you need have the following:
- A Windows laptop with admin privileges and a NFC reader attached
- The OFFPAD Pre-enrollment application installed
- An OFFPAD+ that has been reset or has never has been used
- Access to do app registration in Entra ID to provide the correct permissions and tokens
- Access to make an Entra ID group that holds the user(s) that you want to pre-enroll
How it works
The OFFPAD Pre-enrollment application does the following:
- Reads all the users from the Entra ID group using the Microsoft Entra ID FIDO2 provisioning APIs
- For each users it ask you to tap a new (or resetted) OFFPAD+ on the attached NFC reader
- For each OFFPAD+ a random pin is set, and the OFFPAD+ is assigned to the User in Entra ID
- The OFFPAD Pre-enrollment application writes the userID, userName and PIN of the enrolled users to a file called preenroll.csv
Installing
Download and install the OFFPAD Pre-enrollment application from the Microsoft Store.
Setup
The config file, preenroll.json, and the output file, preenroll.cvs, for the OFFPAD Pre-enrollment application can be found in the C:\Users\Public\Desktop folder.
The config file is created and opened in Notepad the first time you start the application and contains the following parameters:
{
"clientId": "11111111-1111-1111-1111-111111111111",
"clientSecret": "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA",
"deleteExistingUserFIDOCredentials": "true",
"group": "FIDO Provisioning",
"logLevel": "info",
"pinLength": "4",
"removeUsersFromEnrollmentGroup": "false",
"showHelp": "false",
"tenantName": "dummyTenant",
}
Parameter: tenantName
The "tenantName" is the same as your Primary Domain.
Open the Microsoft Entra admin center and go to the Overview to find your Primary Domain.
Parameter: clientId and clientSecret
The client ID and the client secret is used by the OFFPAD Pre-enrollment application to talk to Entra ID. To get these values you first have to create a new application in the Microsoft Entra admin center. Go to Applications->App registrations and select "New registration".
Give the new application a name. The application should be single tenant.
The Client ID is the same as Application ID.
To get the client secret go to the Certificates & Secrets section in the newly created application and create click "New Client Secret".
Copy the new secret value from the newly created client secret.
Parameter: deleteExistingUserFIDOCredentials
If this parameter is true all existing FIDO credentials will be deleted before the new credential is added.
Parameter: group
The name of the Entra ID Group that holds the users to be enrolled.
Parameter: logLevel
The log level of the application. The default level is "info", and can be changed for troubleshooting purposes.
Parameter: pinLength
The number of digits used when setting the pin during enrollment.
Parameter: removeUsersFromEnrollmentGroup
If this parameter is set to true the users will be removed from the Entra ID Group after enrollment.
Parameter: showHelp
If this parameter is set to true the application prints help texts during startup.