- Article
This article covers deployment frequently asked questions (FAQs) for hybrid Azure AD joined devices and passwordless sign-in to on-prem resources. With this passwordless feature, you can enable Azure AD authentication on Windows 10 devices for hybrid Azure AD joined devices using FIDO2 security keys. Users can sign into Windows on their devices with modern credentials like FIDO2 keys and access traditional Active Directory Domain Services (AD DS) based resources with a seamless single sign-on (SSO) experience to their on-prem resources.
The following scenarios for users in a hybrid environment are supported:
- Sign in to hybrid Azure AD joined devices using FIDO2 security keys and get SSO access to on-prem resources.
- Sign in to Azure AD joined devices using FIDO2 security keys and get SSO access to on-prem resources.
To get started with FIDO2 security keys and hybrid access to on-premises resources, see the following articles:
- Passwordless FIDO2 security keys
- Passwordless Windows 10
- Passwordless on-premises
Security keys
- My organization requires two factor authentication to access resources. What can I do to support this requirement?
- Where can I find compliant FIDO2 security keys?
- What do I do if I lose my security key?
- How is the data protected on the FIDO2 security key?
- How does the registering of FIDO2 security keys work?
- Is there a way for admins to provision the keys for the users directly?
My organization requires multi-factor authentication to access resources. What can I do to support this requirement?
FIDO2 Security keys come in a variety of form factors. Contact the device manufacturer of interest to discuss how their devices can be enabled with a PIN or biometric as a second factor. For a list of supported providers, see FIDO2 security keys providers.
Where can I find compliant FIDO2 security keys?
For a list of supported providers, see FIDO2 security keys providers.
What if I lose my security key?
You can remove keys in the Azure portal by navigating to the Security info page and removing the FIDO2 security key.
How is the data protected on the FIDO2 security key?
FIDO2 security keys have secure enclaves that protect the private keys stored on them. A FIDO2 security key also has anti-hammering properties built into it, like in Windows Hello, where you can't extract the private key.
How does the registering of FIDO2 security keys work?
For more information how to register and use FIDO2 security keys, see Enable passwordless security key sign-in.
Is there a way for admins to provision the keys for the users directly?
No, not at this time.
Why I am getting "NotAllowedError" in the browser, when registering FIDO2 keys?
You will receive "NotAllowedError" from fido2 key registration page. This typically happens when user is in private (Incognito) window or using remote desktop where FIDO2 Private key access is not possible.
Prerequisites
- Does this feature work if there's no internet connectivity?
- What are the specific end points that are required to be open to Azure AD?
- How do I identify the domain join type (Azure AD joined or hybrid Azure AD joined) for my Windows 10 device?
- What's the recommendation on the number of DCs that should be patched?
- Can I deploy the FIDO2 credential provider on an on-premises only device?
- FIDO2 security key sign-in isn't working for my Domain Admin or other high privilege accounts. Why?
Does this feature work if there's no internet connectivity?
Internet connectivity is a pre-requisite to enable this feature. The first time a user signs in using FIDO2 security keys, they must have internet connectivity. For subsequent sign-in events, cached sign-in should work and let the user authenticate without internet connectivity.
For a consistent experience, make sure that devices have internet access and line of sight to DCs.
What are the specific end points that are required to be open to Azure AD?
The following endpoints are needed for registration and authentication:
- *.microsoftonline.com
- *.microsoftonline-p.com
- *.msauth.net
- *.msauthimages.net
- *.msecnd.net
- *.msftauth.net
- *.msftauthimages.net
- *.phonefactor.net
- enterpriseregistration.windows.net
- management.azure.com
- policykeyservice.dc.ad.msft.net
- secure.aadcdn.microsoftonline-p.com
For a full list of endpoints needed to use Microsoft online products, see Office 365 URLs and IP address ranges.
How do I identify the domain join type (Azure AD joined or hybrid Azure AD joined) for my Windows 10 device?
To check if the Windows 10 client device has the right domain join type, use the following command:
Dsregcmd/statusThe following sample output shows that the device is Azure AD joined as AzureADJoined is set to YES:
+---------------------+| Device State |+---------------------+AzureADJoined: YESEnterpriseJoined: NODomainedJoined: NOThe following sample output shows that the device is hybrid Azure AD joined as DomainedJoined is also set to YES. The DomainName is also shown:
+---------------------+| Device State |+---------------------+AzureADJoined: YESEnterpriseJoined: NODomainedJoined: YESDomainName: CONTOSOOn a Windows Server 2016 or 2019 domain controller, check that the following patches are applied. If needed, run Windows Update to install them:
- Windows Server 2016 - KB4534307
- Windows Server 2019 - KB4534321
From a client device, run the following command to verify connectivity to an appropriate domain controller with the patches installed:
nltest /dsgetdc:<domain> /keylist /kdcWhat's the recommendation on the number of DCs that should be patched?
We recommend patching a majority of your Windows Server 2016 or 2019 domain controllers with the patch to ensure they can handle the authentication request load of your organization.
On a Windows Server 2016 or 2019 domain controller, check that the following patches are applied. If needed, run Windows Update to install them:
- Windows Server 2016 - KB4534307
- Windows Server 2019 - KB4534321
Can I deploy the FIDO2 credential provider on an on-premises only device?
No, this feature isn't supported for on-premises only device. The FIDO2 credential provider wouldn't show up.
FIDO2 security key sign-in isn't working for my Domain Admin or other high privilege accounts. Why?
The default security policy doesn't grant Azure AD permission to sign high privilege accounts on to on-premises resources.
To unblock the accounts, use Active Directory Users and Computers to modify the msDS-NeverRevealGroup property of the Azure AD Kerberos Computer object (CN=AzureADKerberos,OU=Domain Controllers,<domain-DN>).
Under the hood
- How is Azure AD Kerberos linked to my on-premises Active Directory Domain Services environment?
- Where can I view these Kerberos server objects that are created in AD and published in Azure AD?
- Why can't we have the public key registered to on-premises AD DS so there is no dependency on the internet?
- How are the keys rotated on the Kerberos server object?
- Why do we need Azure AD Connect? Does it write any info back to AD DS from Azure AD?
- What does the HTTP request/response look like when requesting PRT+ partial TGT?
How is Azure AD Kerberos linked to my on-premises Active Directory Domain Services environment?
There are two parts: the on-premises AD DS environment and the Azure AD tenant.
Active Directory Domain Services (AD DS)
The Azure AD Kerberos server is represented in an on-premises AD DS environment as a domain controller (DC) object. This DC object is made up of multiple objects:
CN=AzureADKerberos,OU=Domain Controllers,<domain-DN>
(Video) Passwordless Authentication with Azure AD and FIDO2 Security Keys and Yubikey BioA Computer object that represents a Read-Only Domain Controller (RODC) in AD DS. There's no computer associated with this object. Instead, it's a logical representation of a DC.
CN=krbtgt_AzureAD,CN=Users,<domain-DN>
A User object that represents a RODC Kerberos Ticket Granting Ticket (TGT) encryption key.
CN=900274c4-b7d2-43c8-90ee-00a9f650e335,CN=AzureAD,CN=System,<domain-DN>
A ServiceConnectionPoint object that stores metadata about the Azure AD Kerberos Server objects. The administrative tools use this object to identify and locate the Azure AD Kerberos Server objects.
Azure Active Directory
The Azure AD Kerberos Server is represented in Azure AD as a KerberosDomain object. Each on-premises AD DS environment is represented as a single KerberosDomain object in the Azure AD tenant.
For example, you may have an AD DS forest with two domains such as contoso.com and fabrikam.com. If you allow Azure AD to issue Kerberos Ticket Granting Tickets (TGTs) for the entire forest, there are two KerberosDomain objects in Azure AD - one object for contoso.com and one for fabrikam.com.
If you have multiple AD DS forests, you have one KerberosDomain object for each domain in each forest.
Where can I view these Kerberos server objects that are created in AD DS and published in Azure AD?
To view all objects, use the Azure AD Kerberos Server PowerShell cmdlets included with the latest version of Azure AD Connect.
For more information, including instructions on how to view the objects, see create a Kerberos Server object.
Why can't we have the public key registered to on-premises AD DS so there is no dependency on the internet?
We received feedback around the complexity of deployment model for Windows Hello for Business, so wanted to simplify the deployment model without having to use certificates and PKI (FIDO2 doesn't use certificates).
How are the keys rotated on the Kerberos server object?
Like any other DC, the Azure AD Kerberos Server encryption krbtgt keys should be rotated on a regular basis. It's recommended to follow the same schedule as you use to rotate all other AD DS krbtgt keys.
Note
Although there are other tools to rotate the krbtgt keys, you must use the PowerShell cmdlets to rotate the krbtgt keys of your Azure AD Kerberos Server. This method makes sure that the keys are updated in both the on-premises AD DS environment and in Azure AD.
Why do we need Azure AD Connect? Does it write any info back to AD DS from Azure AD?
Azure AD Connect doesn't write info back from Azure AD to AD DS. The utility includes the PowerShell module to create the Kerberos Server Object in AD DS and publish it in Azure AD.
What does the HTTP request/response look like when requesting PRT+ partial TGT?
The HTTP request is a standard Primary Refresh Token (PRT) request. This PRT request includes a claim indicating a Kerberos Ticket Granting Ticket (TGT) is needed.
| Claim | Value | Description |
|---|---|---|
| tgt | true | Claim indicates the client needs a TGT. |
Azure AD combines the encrypted client key and message buffer into the PRT response as additional properties. The payload is encrypted using the Azure AD Device session key.
| Field | Type | Description |
|---|---|---|
| tgt_client_key | string | Base64 encoded client key (secret). This key is the client secret used to protect the TGT. In this passwordless scenario, the client secret is generated by the server as part of each TGT request and then returned to the client in the response. |
| tgt_key_type | int | The on-premises AD DS key type used for both the client key and the Kerberos session key included in the KERB_MESSAGE_BUFFER. |
| tgt_message_buffer | string | Base64 encoded KERB_MESSAGE_BUFFER. |
Next steps
To get started with FIDO2 security keys and hybrid access to on-premises resources, see the following articles:
- Passwordless FIDO2 security keys
- Passwordless Windows 10
- Passwordless on-premises
FAQs
How do I deploy FIDO2 security keys? ›
Enable with Intune for all users
To use FIDO2 keys on Windows devices for all users in your tenant: Either click on the following link, or access Intune, then click on “Enroll devices”, “Windows Hello for Business”. Windows devices enrollment | Intune. Click on Use security keys for sign-in, and set it to Enabled.
Configuration. The first task is to enable Credential Provider to devices that will be used in the FIDO2 scenario. The easiest approach is to use Intune for configuration and create necessary profile configuration for AAD Joined Windows 10 devices.
Does Microsoft support FIDO2? ›All versions of the new Chromium-based Microsoft Edge support Fido2. Support on Microsoft Edge legacy was added in 1903.
What are the limitations of hybrid Azure AD join? ›Hybrid Azure AD join isn't supported for Windows Server running the Domain Controller (DC) role. Hybrid Azure AD join isn't supported on Windows down-level devices when using credential roaming or user profile roaming or mandatory profile. Server Core OS doesn't support any type of device registration.
What operating system does FIDO2 security keys use? ›FIDO2 security keys
Use Windows 10 (ver1903) or later.
FIDO2 security keys
Sign in using a PIN or biometric recognition (facial, iris, or fingerprint) with Windows devices. Windows Hello authentication is tied to the device; the user needs both the device and a sign-in component such as a PIN or biometric factor to access corporate resources.
Also known as knowledge-based authentication, password-based authentication relies on a username and password or PIN. The most common authentication method, anyone who has logged in to a computer knows how to use a password. Password-based authentication is the easiest authentication type for adversaries to abuse.
Which authentication method requires the least effort regarding deployment? ›Cloud authentication: Password hash synchronization. Effort. Password hash synchronization requires the least effort regarding deployment, maintenance, and infrastructure.
Does FIDO2 require a PIN? ›With FIDO2, there is no need to replace passwords, as there are no passwords required. For those combining a hardware authenticator with a PIN, it's important to note that PINs do not demand the same security requirement as a password.
What is Microsoft Entra? ›Microsoft Entra is the vision for identity and access that expands beyond identity and access management with new product categories such as cloud infrastructure entitlement management (CIEM) and decentralized identity.
What is the difference between PKI and FIDO2? ›
FIDO protocols can be used to verify code-signed applications within the domain, while PKI solutions are better suited for verifying code-signed applications and installations outside the domain, at least for the time being. FIDO protocols do not support disk encryption.
What security level is FIDO2 authenticator? ›Authenticator Certification Level 2 (L2) evaluates FIDO Authenticator protection against basic, scalable attacks. For L2, the Authenticator is required to conform to a solution included in FIDO Allowed Restricted Operating Environment and Allowed Cryptography lists as part of the Authenticator Security Requirements.
What are the disadvantages of hybrid cloud Azure? ›- Implementation. The hybrid cloud infrastructure is as difficult to implement as much as it is to maintain. ...
- Security Concerns. ...
- Visibility. ...
- Hardware Expenses.
Hybrid Azure AD Joined – The Windows 365 Cloud PC Joined to on-premises AD, and Azure AD requires an organizational account to sign in to the Cloud PCs. Azure AD joined – The Windows 365 Cloud PC Joined only to Azure AD requiring an organizational account to sign in to the Cloud PCs.
What are the disadvantages of FIDO2? ›Disadvantages of FIDO2
Users are required to undergo an additional security step instead of quickly typing in their password (or having it automatically filled in by a browser). While this step enhances security, it can also make logging into multiple FIDO2-enabled websites throughout the day cumbersome.
FIDO 2 is a passwordless standard that is easy to use, and very secure. It uses public key cryptography, which makes it virtually impossible for a hacker to find a way to access your account.
What is the key benefit to using FIDO2 and a hardware key? ›Benefits ofFIDO Authentication
FIDO2 cryptographic login credentials are unique across every website, never leave the user's device and are never stored on a server. This security model eliminates the risks of phishing, all forms of password theft and replay attacks.
The WebAuthn component of FIDO2 is backwards-compatible with FIDO U2F authenticators via the CTAP1 protocol in the WebAuthn specifications.
What are the 3 types of authentication? ›Authentication factors can be classified into three groups: something you know: a password or personal identification number (PIN); something you have: a token, such as bank card; something you are: biometrics, such as fingerprints and voice recognition.
What is the strongest form of two factor authentication? ›FIDO U2F is the most secure form of 2FA that prevents against password cracking, man-in-the-middle, and phishing attacks. Learn more about FIDO U2F here. There are many forms of 2FA, some of which are stronger than others.
What is the strongest authentication factor? ›
The Inherence Factor is often said to be the strongest of all authentication factors. The Inherence Factor asks the user to confirm their identity by presenting evidence inherent to their unique features.
What is hybrid authentication? ›Microsoft's identity solutions span on-premises and cloud-based capabilities. These solutions create a common user identity for authentication and authorization to all resources, regardless of location. We call this hybrid identity. Hybrid identity is accomplished through provisioning and synchronization.
Which authentication methods are most commonly used in enterprise wireless deployments? ›The most commonly adopted and recommended authentication mechanism is EAP. An added advantage of EAP is that it supports both types of authentication.
What is the weakest authentication method? ›Explanation: Passwords are considered to be the weakest form of the authentication mechanism because these password strings can...
How long should FIDO2 PIN be? ›PIN Requirements
FIDO2 PINs can be up to 63 alphanumeric characters (in other words, letters and numbers). For YubiKeys from the 5 FIPS Series, the minimum PIN length is 6. For non-FIPS YubiKeys and Security Keys, the minimum is 4.
The first time the user signs in with a FIDO2 security key, an Internet connection is required. After that, it is possible to sign-in with cached credentials and offline mode is working.
How long is FIDO2 key PIN? ›Note: FIDO2 devices have no PIN at the beginning, but supports PIN setting. The PIN code length is limited to 4-63 digits.
What is Microsoft Entra replacing? ›I guess we all knew it was coming (after all, Microsoft published message center notification MC477013 in December 2022), but the news that the Microsoft Entra admin center (Figure 1) will replace the Azure AD admin center from April 1, 2023 is yet another example of the ongoing and constant changes in Microsoft 365.
How does Microsoft Entra verified ID work? ›Microsoft Entra Verified ID is a decentralized identity solution that helps you safeguard your organization. The service allows you to issue and verify credentials. Issuers can use the Verified ID service to issue their own customized verifiable credentials.
Is Microsoft Entra part of E5? ›Microsoft Entra Identity Governance Preview capabilities are currently available with an Azure AD Premium P2 subscription or free trial: Azure AD Premium P2 is included with Microsoft 365 E5 and offers a free 30-day trial.
What are examples of FIDO2? ›
Popular examples are Mac Touch ID, Windows Hello, and fingerprint scanners.
What is FIDO2 Web authentication? ›Web Authentication (WebAuthn), a core component of FIDO Alliance's FIDO2 set of specifications, is a web-based API that allows websites to update their login pages to add FIDO-based authentication on supported browsers and platforms.
What is FIDO2 vs push? ›We like to differentiate between "out-of-band" and "on-device" authentication. Out-of-band (push): The user wants to authenticate somewhere else, e.g. in a browser on a desktop PC, and the (FIDO2) credential on the phone is used through a mobile app as an additional external authentication factor.
Is a security key better than 2FA? ›A Security Key is a small physical device used for additional security next to your password and is considered to be one of the most secure ways of two-factor authentication (2FA). Most Security Keys are very simple to use and you only need to touch or tap a button while it is plugged into the USB port of your device.
How do I install a security key? ›- Open the Windows Settings app, select Accounts, select Sign-in options, select Security Key, and then select Manage.
- Insert your security key into the USB port or tap your NFC reader to verify your identity.
With FIDO2, there is no need to replace passwords, as there are no passwords required. For those combining a hardware authenticator with a PIN, it's important to note that PINs do not demand the same security requirement as a password.
How to setup passwordless SSH keys? ›To set up passwordless SSH you must configure the mqm id on each node, then generate a key on each node for that user. You then distribute the keys to the other nodes, and test the connection to add each node to the list of known hosts. Finally you lock down the mqm id .
Can you use the security key on multiple systems? ›When prompted to authenticate, you simply tap the physical key. There's no need to use your smartphone, and the same security key can be used on multiple devices.
What is a Microsoft security key? ›Windows users may use a security key, e.g. from Yubico or Feitian Technology, to sign-in to Microsoft Accounts in Microsoft Edge. The list of features that security keys need to support is listed on the Microsoft Docs website. FIDO2-based security keys may be plugged into USB ports of Windows 10 devices.
How to connect a security key to a laptop? ›- Go to the Start menu.
- Click Network Connection.
- Select Network and Sharing Center.
- Click on the wireless network icon.
- Go to Wireless Properties.
- Open the Security tab.
- Select Show Characters, and you'll be able to see your network security key.
Can FIDO2 be hacked? ›
FIDO 2 is a passwordless standard that is easy to use, and very secure. It uses public key cryptography, which makes it virtually impossible for a hacker to find a way to access your account.
How does security key work? ›Security key leverages FIDO's U2F (Universal Second Factor) protocol that helps prevent users from accidentally falling victim to any phishing attacks. It only authenticates and authorizes users on the correct domain even if they mistakenly register the key on the wrong website.
Can you use a USB as a security key? ›A USB security key plugs into your computer's USB port and functions as an extra layer of security that's used in Online Banking to increase limits for certain transfer types.
Can you make your own security key? ›How to Get Physical Security Key. There are two ways you can get physical security key to secure your computer better. You can buy one from a few different vendors, including Google, YubiKey, and Thetis. You can also make one on your own (turning a USB flash drive into a security key).
Which of the two SSH keys Cannot be transferred to anyone? ›The id_rsa is the private key, don't want to give this key to anyone. In this case, since we are going to generate two ssh keys, we don't want to keep the default file name, set it to whatever name you want by giving it /Users/sprlwrks/. ssh/file_name .
How do I use Microsoft passwordless? ›Sign in to your Microsoft Account Additional security options. Under Password-free account, select Turn on. Follow the prompts to verify your account. Approve the request sent to your Microsoft Authenticator app.
How do I enable passwordless SSH on Windows? ›- Copy Your Public Key to Your User's ~/. ssh/authorized_keys File. ...
- Install Windows OpenSSH Package. ...
- Configure OpenSSH Server. ...
- Restart the SSH Server. ...
- Connect to Your Windows PC via SSH. ...
- Debugging.