Nitrokey FIDO2 AAGUID for


I want to use my FIDO2 key as logon option in Azure AD.
According to these release note:

the actual firmware should support “AAGUID”, which I need for unlocking the Nitrokey FIDO2 keys in Azure AD, because only certain key types should be allowed (Restrict specific keys).

I could not find any docs like for the YubiKeys in your forum, Q&A, …

Thanks and BR SteCee

Right, we need to publish such information more obvious. Our AAGUID is 04 10 C3 9E FB A6 FC F4 4C 3E 82 8B FC 4A 61 15 A0 FF

1 Like

Hi Jan,

thank you for your support.

The AAGUID to be entered in Azure and for YubiKey communicated is like described here:

The error message is:
The input must be in a valid Guid format. Example: 12345678-0000-0000-0000-123456780000

The Nitrokey is 4-CHAR longer than these other AAGUIDs (here: A0 FF).
It should be a 128-bit identifier.



Sorry for the confusion. The pasted AAGUID is encoded in the DER format, where the first two bytes mean type and length of the data respectively. The actual AAGUID is:

  • C3 9E FB A6 FC F4 4C 3E 82 8B FC 4A 61 15 A0 FF, or
  • c39efba6-fcf4-4c3e-828b-fc4a6115a0ff

And this is what is returned to the host on the query.
Source code.

Edit: metadata files are at: