EntraPass - Passkey Migration Assistant

Before You Start

EntraPass is an open-source (MIT) tool for assessing passkey readiness in your Microsoft Entra ID tenant.

What this tool does

Reads user profiles, devices, auth methods, and CA policies from your tenant via Microsoft Graph
Analyzes everything in your browser — no data leaves your machine
Requires an App Registration in your tenant for authentication

Security & Privacy

All data stays in your browser's memory — nothing is stored on servers
The scanner uses a SPA (PKCE) app registration with no client secrets
You can delete the app registration after scanning using the cleanup script
No external API calls beyond Microsoft Graph (unless you opt into the AI Assistant)

Prerequisites

A Microsoft Entra ID tenant (the one you want to scan)
Permissions to create App Registrations (Application Developer role or higher)
Admin consent for Graph delegated permissions (or consent interactively)

I understand and acknowledge the above terms. I am authorized to scan this tenant.

Create the Scanner App Registration

EntraPass needs an App Registration in your tenant to run the scan. Choose one option:

Option 1: Create in Azure Portal (Recommended)

Click below to open the Azure Portal App Registration creation blade:

Create App Registration

In Azure Portal, configure:
1. Name: entrapass-scanner
2. Accounts: "Only this organizational directory"
3. Redirect URI: SPA → your-portal-url
4. Click Register
5. Go to API Permissions > Add permissions
6. Add Microsoft Graph delegated permissions (7 scopes)
7. Grant admin consent

Option 2: Deploy via Azure Cloud Shell

Fastest option — one script creates everything:

Open Azure Cloud Shell (PowerShell)
Run this one-liner:

irm https://raw.githubusercontent.com/arusso-aboutcloud/EntraPass/main/infra/deploy-entrapass.ps1 | iex

Press Enter to accept the default portal URL. The script creates the app reg, adds all 7 permissions, grants admin consent, and prints your Client ID and Tenant ID.

Option 3: Manual (PowerShell Module)

For advanced users who want full control:

Connect-MgGraph -Scopes Application.ReadWrite.All
$app = New-MgApplication -DisplayName "entrapass-scanner" -SignInAudience AzureADMyOrg -Spa @{RedirectUris=@("https://entrapass.pages.dev")}

See the installation guide for the full script with all 7 permissions.

After deployment, come back here and click below.

Configure Your App Registration

Enter the values from your deployed App Registration.

Client ID (Application ID) Tenant ID (your directory ID) Portal URL (redirect URI)

Configuring...

Saving configuration...

🔑 EntraPass

Before You Start

What this tool does

Security & Privacy

Prerequisites

Create the Scanner App Registration

Option 1: Create in Azure Portal (Recommended)

Option 2: Deploy via Azure Cloud Shell

Option 3: Manual (PowerShell Module)

Configure Your App Registration

Configuring...

🔑 EntraPass

Passkey Migration Summary

User Passkey Readiness

Entra Tip: App Compatibility Check

Conditional Access Policy Analysis

AI Assistant