Blog Post

Microsoft Entra Blog
2 MIN READ

Public preview of Azure AD support for FIDO2 security keys in hybrid environments

Alex_Simons's avatar
Alex_Simons
Icon for Microsoft rankMicrosoft
Feb 24, 2020
Iā€™m excited to announce the public preview of Azure AD support for FIDO2 security keys in hybrid environments. Users can now use FIDO2 security keys to sign in to their Hybrid Azure AD joined Windows...
Updated Aug 19, 2021
Version 6.0
Alex_Simons's avatar
Icon for Microsoft rankMicrosoft
Joined May 01, 2017
View Profile
Microsoft Entra Blog
Stay informed on how to secure access for employees, customers, and non-human identities, from anywhere, to multicloud and on-premises resources, with comprehensive identity and network access solutions powered by AI.
Aakashi's avatar
Aakashi
Brass Contributor
Feb 28, 2020

scout249 Thank you for your interest. 

Those are some really good questions and I will try to answer them as much as I can šŸ™‚ Please find the responses inline below 

 

Do user account still requires a password?

[a]- As of now there is no way to remove passwords or delete passwords for user accounts. But there is no requirement to have a password for FIDO2 sign ins. 

 

Can we deploy the setting without Intune and using GPO only?

[a] - Yes you can enable setting only through GPO as well. Here are the details https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-authentication-passwordless-security-key-windows#enable-with-group-policy 

 

What are the minimum subscription that we need? Free Azure AD is supported?

[a] - There is no specific subscription required for FIDO2 support but we do require MFA before you can add security keys as a passwordless method or users can provision their keys. 

 

What sign-in method on Azure AD is support and not supported? ADFS, Password Hash Synchronization or Pass-through Authentication.

[a] - It does not work with any of those as of now. 

 

Is there impact when user change their password?

[a] - No this is a separate authentication method 

 

What is the difference using password login and FIDO login? Does user still obtain an Kerberos ticket?

[a] - Yes they do. Details in responses below. 

 

How to determine the domain controller support FIDO login? Is there any PowerShell to query the number of server that supported FIDO login?

[a] - To check if you can see a server that is running the feature, check the output of nltest /dsgetdc:redmond /keylist /kdc

 

Can you explain the login flow using FIDO, client authenticate with Azure AD and pass the token to Win2016 server?

[a] - The details of Authentication flow are available here https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-authentication-passwordless-security-key-on-premises 

 

What event log to look for on Windows server to determine a computer or user login via FIDO?

[a] - Will get back with this detail. 

 

Can client login FIDO while its temporary offline using cache?

[a] - Yes, it requires internet connection and line of sight to the DC for the first login or bootstrapping though.

 

A FIDO U2F device relies on public/private key, do they expires and need to renew?

[a]- I am not sure about this and will have to check back. 

 

Hope this helps.