EntraPass - Passkey Migration Assistant

?? Before You Start

EntraPass is an open-source (MIT) tool for assessing passkey readiness in your Microsoft Entra ID tenant.

? What this tool does:

Reads user profiles, devices, auth methods, and CA policies from your tenant via Microsoft Graph
Analyzes everything in your browser � no data leaves your machine
Deploys a temporary App Registration to your tenant for authentication

? Security & Privacy

All data stays in your browser's memory — nothing is stored on servers
The scanner creates a SPA (PKCE) app registration with no client secrets
You can delete the app registration after scanning using the cleanup script
No external API calls beyond Microsoft Graph

? Prerequisites

A Microsoft Entra ID tenant (the one you want to scan)
Permissions to create App Registrations (Application Developer role or higher)
Admin consent for Graph delegated permissions (or consent interactively)

I understand and acknowledge the above terms. I am authorized to scan this tenant.

?? Deploy Scanner to Your Tenant

EntraPass needs an App Registration in your tenant to run the scan. Two options:

?? Option 1: Create in Azure Portal (Recommended)

Click below to open the Azure Portal App Registration creation blade:

?? Create App Registration

In Azure Portal, configure:
1. Name: entrapass-scanner
2. Accounts: "Only this organizational directory"
3. Redirect URI: SPA -> your-portal-url
4. Click Register
5. Go to API Permissions > Add permissions
6. Add Microsoft Graph delegated permissions (7 scopes)
7. Grant admin consent

?? Option 2: Deploy via Azure Cloud Shell

Fastest option — one script creates everything:

Open Azure Cloud Shell (PowerShell)
Run this one-liner:

irm https://raw.githubusercontent.com/arusso-aboutcloud/EntraPass/main/infra/deploy-entrapass.ps1 | iex

The script creates the app reg, adds all 7 permissions, and outputs your Client ID.

?? Option 3: Manual (PowerShell Module)

For advanced users who want full control:

Connect-MgGraph -Scopes Application.ReadWrite.All
$app = New-MgApplication -DisplayName "entrapass-scanner" -SignInAudience AzureADMyOrg -Spa @{RedirectUris=@("https://entrapass.pages.dev")}

See the installation guide for the full script with all 7 permissions.

?? After deployment, come back here and click below.

?? Configure Your App Registration

Enter the values from your deployed App Registration.

Client ID (from Bicep output) Tenant ID (your directory ID) Portal URL (redirect URI)

?? Configuring...

Saving configuration...

?? EntraPass

?? Before You Start

? What this tool does:

? Security & Privacy

? Prerequisites

?? Deploy Scanner to Your Tenant

?? Option 1: Create in Azure Portal (Recommended)

?? Option 2: Deploy via Azure Cloud Shell

?? Option 3: Manual (PowerShell Module)

?? Configure Your App Registration

?? Configuring...

?? EntraPass

Passkey Migration Summary

User Passkey Readiness

?? Entra Tip: App Compatibility Check

Conditional Access Policy Analysis

?? AI Assistant