![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(195.2, 56.00000000000001%, 28%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EEA%3C/text%3E%3C/svg%3E)
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(307.2, 89%, 39%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EFD%3C/text%3E%3C/svg%3E)
Hi Ezra
This is almost certainly one of two setups. The fastest way forward is to identify which one you have, then follow the matching path to add new staff.
First, confirm the stack. On a PC where a card works, run certutil -scinfo. If you see user certificates on the card -> it’s classic smart-card sign-in. If there are no certificates and users originally registered keys at aka.ms/mysecurityinfo -> it’s Microsoft Entra FIDO2 (passwordless).
If it’s FIDO2 passwordless:
Open Entra admin center > Protection > Authentication methods > FIDO2 Security Key and make sure it’s enabled and scoped to a group. Create the new user -> add them to that group -> issue a Temporary Access Pass (User > Authentication methods > Add method > TAP) -> user goes to https://aka.ms/mysecurityinfo, chooses Security key, taps the NFC key, sets a PIN, and finishes registration.
Windows sign-in will show Security key once devices are Azure AD joined or Hybrid joined and the policy “Use security keys for sign-in” is enabled (Intune Account protection or the equivalent GPO). You can manage or revoke keys per user under Entra > Users > Authentication methods. Keep one break-glass admin that does not rely on a security key.
If it’s smart-card (certificate-based):
you’ll need access to the Certificate Authority or card-management tool the previous admin used. Create the user with the correct UPN -> enroll a Smart Card Logon certificate for that user -> write it to the NFC card and set a PIN -> test logon on a domain-joined PC. If cloud sign-in with cards is required, enable Entra Certificate-based Authentication and upload the issuing CA chain. If you cannot locate the CA or issuance process, the pragmatic fix is to migrate new hires to FIDO2 keys now while existing users continue on their cards.
Hybrid clues like a Kerberos server and AAD Connect simply mean you’re in on-prem AD + Entra, that doesn’t block either approach above. If some PCs don’t show the Security key option, verify the join status with dsregcmd /status and push the Windows Hello for Business “Use security keys for sign-in” policy again.
Pick the path that matches your environment. I hope you find this helpful!
Regards,
Finn