Azure AD – Password less with FIDO2 now in preview for hybrid deployments

As you may be already aware, support for password less with FIDO2 keys has been in preview for quite some time already for Azure AD Joined devices and browser sign-ins (see https://t.co/6HfQaQrsuR).

Well, good news as you can now also use FIDO2 keys to authenticate against Azure AD Hybrid joined device – aka Windows 10 devices joined to Active Directory domain and registered in Azure Active Directory.

You can check if a device is Azure AD or Hybrid joined by checking the Azure AD portal (https://aad.portal.azure.com/) or Azure portal (https://portal.azure.com) by accessing the Azure Active Directory\Devices\All Device blade

image  image  image

Then you need (if not yet done already) ensure the below:

Then you enable the hybrid settings:

  • From your Azure AD Connect server, create a Kerberos object using the below PowerShell commands; this will create a disabled user account called krbtgt_AzureAD located in the Users default OU

Import-Module “C:\Program Files\Microsoft Azure Active Directory Connect\AzureADKerberos\\AzureAdKerberos.psd1”

$domain = “<your AD domain>”
$cloudCred = Get-Credential
$domainCred = Get-Credential
Set-AzureADKerberosServer -Domain $domain -CloudCredential $cloudCred -DomainCredential $domainCred

image

  • You can also check the process has been completed successfully using the PowerShell command

Get-AzureADKerberosServer -Domain $domain -CloudCredential $cloudCred -DomainCredential $domainCred

  • If for some reason you need to remove this object, just use the command

Remove-AzureADKerberosServer -Domain $domain -CloudCredential $cloudCred -DomainCredential $domainCred

NOTE if you also use the Seamsless SSO, you are already aware you need to rotate the encryption krbtgt keys; this is the same here. Just use the command

Set-AzureADKerberosServer -Domain $domain -CloudCredential $cloudCred -DomainCredential $domainCred –RotateServerKey

KNOWN LIMITATION/ISSUE

If your password expired, the FIDO2 authentication will fail. You need to update your password to make it working again.

That’s it folks, you have enabled FIDO2 authentication for your Active Directory domain joined Windows 10 devices Smile

Leave a Comment

Your email address will not be published. Required fields are marked *


The reCAPTCHA verification period has expired. Please reload the page.