Passwordless Authentication with FIDO2 Security Key for Remote Desktop Connection

Passwordless Authentication with FIDO2 Security Key for Remote Desktop Connection

Hello Everyone, in this blog, we will explore how to use a FIDO2 security key to access a device using Remote Desktop Connection (RDP)—a Zero Trust approach where passwordless authentication is enforced.

Recently, a customer asked me whether they could secure their device and enforce passwordless authentication for RDP access. While some FIDO2 security keys can also be used as smart cards with Certificate-Based Authentication (CBA), I will cover that topic in my next blog.

In this post, let's focus on how we can use Windows 10/11, the RDPAAD (Remote Desktop Protocol Azure AD Protocol), and WebAuthn to connect to Entra ID-joined or Hybrid-joined devices using a FIDO2 security key.

If a user has never used or registered a FIDO2 security key, they should register it by visiting My Sign-Ins, clicking on Security Info, and selecting Add sign-in method.

 

 

Once the FIDO2 security key is registered, complete the sign-in process and ensure the user can successfully authenticate to web applications using the security key.

 

Configuring RDP for Entra ID-Joined Devices:

For Entra ID-joined devices, follow these steps to enable RDP access using a FIDO2 security key:

1. Ensure the user is a member of the local Remote Desktop Users group on the remote device.

o   Open PowerShell as Administrator and load the Microsoft Graph PowerShell module to connect to Entra ID (if needed).

o   Run the following command to add the user to the Remote Desktop Users group:

o   net localgroup "Remote Desktop Users" /add "AzureAD\user200@farooquetech.in"

 

 

We can validate the configuration by opening Computer Management and checking the Local Users and Groups settings:

1. Open Computer Management (compmgmt.msc).
2. Navigate to Local Users and Groups → Groups.
3. Locate and open the Remote Desktop Users group.
4. Check if the Entra ID user we added appears in the list.

This confirms that the user has been successfully added and can sign-in to remote machine using RDP.

 

 

At this point, we can open Remote Desktop Connection (mstsc.exe) and attempt to connect to the remote device.

1. Open Remote Desktop Connection (mstsc.exe).
2. Click on the Advanced tab.
3. Under User Authentication, ensure we select "Use a web account to sign in to the remote computer."

This ensures that the RDP session leverages passwordless authentication with FIDO2 and WebAuthn for secure access.

 

 

1. Enter the NetBIOS name of the remote computer in Remote Desktop Connection (mstsc.exe) and click Connect.
2. On the sign-in page, enter the Entra ID account for which FIDO2 Security Key authentication is enabled.
3. When prompted to choose a passwordless authentication method, select Security Key.
4. Insert your FIDO2 security key, follow the prompts, and complete the authentication process.

This ensures a secure, passwordless RDP connection to the remote device.

 

 

 

Put the PIN and also touch your finger on Security Key to complete authentication.

 

 

 

 

A consent is prompt to allow RDP Connection, select Yes.

 

 

Post Authentication, we will see the desktop successfully loads.

 

 

 

Remote Desktop Connection Access to Hybrid Entra ID-Joined Devices:

Now, let's discuss how to establish RDP access for Hybrid Entra ID-joined devices.

The process for Hybrid-joined devices differs slightly because these devices are joined to both Active Directory (AD) and Entra ID. This means authentication must be validated in both directories.

To achieve this, we need to register an Active Directory Read-Only Domain Controller (RODC) object in Entra ID. This RODC object helps issue a partial Kerberos Ticket Granting Ticket (TGT) to the user after authentication with Entra ID.

Note: This RODC object is not linked to any on-premises AD domain controller—it is simply an empty object in Entra ID used to enable Kerberos authentication.

Enabling Entra ID Kerberos Authentication:

To enable Entra ID Kerberos authentication, follow these steps:

1. Open PowerShell as Administrator.
2. Install the AzureADKerberos module (if not already installed):
3. Execute below powershell commands
4. Import-module “Import-module "C:\Program Files\Microsoft Azure Active Directory Connect\AzureADKerberos\AzureAdKerberos.psd1"
5. $domain = $env:USERDNSDOMAIN
6. $userPrincipalName = admin@mngenvmcapXXX.onmicrosoft.com
7. $domainCred = Get-Credential (Enter the Active Directory credentials)

 

 

 

 

4. Once the command executes successfully, we can verify that the AzureADKerberos account has been created in Active Directory.

 

 

5. Open Active Directory Users and Computer and under Domain Controller, check AzureADKerberos RODC object is created.

 

 

This completes the AzureADKerberos configuration, enabling the use of FIDO2 Security Keys for authentication. Now, to establish an RDP connection, follow the same steps outlined earlier for Entra ID-joined devices.

 

Enforcing Phishing-Resistant Passwordless Authentication for RDP:

To ensure that Remote Desktop Protocol (RDP) always uses phishing-resistant passwordless authentication, we can enforce this through Conditional Access Policies in Entra ID.

1. Sign in to the Entra ID portal.
2. Go to Security → Conditional Access and create a new policy.
3. Under Assignments, select the users or groups that require secure RDP access.

 

 

4. In the Cloud apps or actions section, select “Microsoft Remote Desktop” with Application ID “a4a365df-50f1-4397-bc59-1a1564b8bb9c”.
5. Under Grant Controls, choose Require authentication strength.

 

 

6. Select Phishing-resistant authentication, which includes FIDO2 Security Keys
7. Save and enable the policy.

 

Note: For Hybrid Entra Joined machine, please ensure we do not use domain admin or any other AD high privileged account to logon else partial TGT will not be issued by Entra ID.

I hope you found this blog helpful! In my next blog, I will cover how FIDO2 Security Keys can also be used for on-premises Active Directory domain-joined servers. Stay tuned!