Forum Discussion
Cloud Trust and AD prerequisites
We have hybrid environment and I am planning to use password less authentication. All our domain controllers are on OS 2019, however, the forest/domain functional level is 2012R2. I am not clear on the requirement as it relates to the OS or to the forest/domain schema and hope you can clarify.
4 Replies
Passwordless at least Windows Server 2016 required:
Active Directory Domain Services functional levels | Microsoft Learn
It relates to the operating system, and from the following article, the phrase "can run any supported version of Windows Server", hence why Server 2016 and 2019 are mentioned (though 2016 will exit soon enough).
It has nothing to do with the domain or forest functional levels.
Cheers,
Lain
LainRobertsonthanks for you reply. The URL you referenced is related to Entra Password Protection which is already installed and working in our environment. My question was related to the Cloud Trust for Passwordless method as you see in this URL https://learn.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/deploy/#windows-server-requirements
. Thanks again for your time.
That table is referring solely to the operating system version, however, despite the new name (I've never heard of "Cloud Trust" before now), it reads identically to the Azure AD Kerberos trust authentication we set up back in late 2022. We use it for Azure SQL MI to get last-mile Windows-based resources onto Azure resources that only support Windows authentication, but the same mechanic is also used by Intune (and probably other things I'm unfamiliar with).
Cloud Kerberos guide:
Azure AD Kerberos incoming trust (from the Azure SQL MI documentation):
- How to set up Windows Authentication for Azure SQL Managed Instance using Microsoft Entra ID and Kerberos - Azure SQL Managed Instance | Microsoft Learn
- How to set up Windows Authentication for Microsoft Entra ID with the incoming trust-based flow - Azure SQL Managed Instance | Microsoft Learn
The reason I've linked the latter are that they mention having a minimum domain functional level of 2012, where the former article does not.
Given you're already on a higher domain functional level, there won't be any issues. The reason you see consistent references to Server 2016 and later is for the same reason I mentioned above, which is that they're still under mainstream or extended support.
Cheers,
Lain
