Azure AD – Password less with FIDO2 now in preview for hybrid deployments

As you may be already aware, support for password less with FIDO2 keys has been in preview for quite some time already for Azure AD Joined devices and browser sign-ins (see https://t.co/6HfQaQrsuR).

Well, good news as you can now also use FIDO2 keys to authenticate against Azure AD Hybrid joined device – aka Windows 10 devices joined to Active Directory domain and registered in Azure Active Directory.

You can check if a device is Azure AD or Hybrid joined by checking the Azure AD portal (https://aad.portal.azure.com/) or Azure portal (https://portal.azure.com) by accessing the Azure Active Directory\Devices\All Device blade

image_thumb[3]  image_thumb[2]  image_thumb

Then you need (if not yet done already) ensure the below:

Then you enable the hybrid settings:

  • From your Azure AD Connect server, create a Kerberos object using the below PowerShell commands; this will create a disabled user account called krbtgt_AzureAD located in the Users default OU

Import-Module “C:\Program Files\Microsoft Azure Active Directory Connect\AzureADKerberos\\AzureAdKerberos.psd1”

$domain = “<your AD domain>”
$cloudCred = Get-Credential
$domainCred = Get-Credential
Set-AzureADKerberosServer -Domain $domain -CloudCredential $cloudCred -DomainCredential $domainCred

image_thumb[4]

  • You can also check the process has been completed successfully using the PowerShell command

Get-AzureADKerberosServer -Domain $domain -CloudCredential $cloudCred -DomainCredential $domainCred

  • If for some reason you need to remove this object, just use the command

Remove-AzureADKerberosServer -Domain $domain -CloudCredential $cloudCred -DomainCredential $domainCred

NOTE if you also use the Seamsless SSO, you are already aware you need to rotate the encryption krbtgt keys; this is the same here. Just use the command

Set-AzureADKerberosServer -Domain $domain -CloudCredential $cloudCred -DomainCredential $domainCred –RotateServerKey

KNOWN LIMITATION/ISSUE

If your password expired, the FIDO2 authentication will fail. You need to update your password to make it working again.

That’s it folks, you have enabled FIDO2 authentication for your Active Directory domain joined Windows 10 devices Smile

Benoit Hamet
Benoit Hamet
Benoit is working on Microsoft collaborative technologies He has been awarded as MVP for more than 12 years Currently MVP on Office 365 after being awarded on SharePoint (2011-2012) and Windows client & server (2002-2007) Speaker at various Microsoft events (TechDays, TechNet seminars) and Quest Software He works on on-premises (Active Directory, RADIUS/NPS, Exchange, Skype for Business, SharePoint, SQL, Terminal Server, Windows client and Windows Server) or online (Azure, Intune, Office 365, Exchange Online, SharePoint Online, Skype for Business Online, Teams) technologies