Event banner
Event details
RichardWakeman
Microsoft
MicrosoftHowdy Seamus, for Windows login, we do recommend WHfB paired with FIDO2 for unphishable MFA. We have a great roadmap to extend to dirived credentials and a managed Authenticator app. Once you establish the hybrid identity / cloud identity with Azure AD, you can support SSO into legacy authn methods like LDAP, Kerberos, NTLM, etc. via proxies. Our first party solution includes the Azure App Proxy. Our partners also offer solutions such as F5, Cisco, etc. As for enforcing the WHfB using a specific authn method, you may control that with GPO's and with MEM (Intune) with local policies. Many of our customers choose to lay down a STIG for Windows & Office to help with hardening the end-point as well, so it may be used as a compliant device in Azure AD Conditional Access Policies. Lots to unfold here, but should steer you in the right direction.
Thank you for pointing me to the STIGs I've been meaning to take a look in that direction. Currently we are just using the Windows 365 sec baseline in Intune. SSO is also on our radar as something we want to implement. Which is why we are focusing on ensuring the strong token generated by the windows login /WHfB is actually generated from a 2FA authentication and not relying on the devices TPM as an authentication factor (we feel that MFA should authenticate the user not the device).
--
We have experimented with the GPO/Intune method. Unfortunately, this does not solve any of the problems I noted. It currently only includes PIN, Fingerprints, Facial recognition and trusted signals as options in the GPO. Is Microsoft planning on adding the other methods to these options such as FIDO keys? Ideally it would be useful to split the policy into two groups, one group of providers that count as a single factor and a second group for providers like FIDO/certificate which are inherently 2FA.