Passwordless sign on to hybrid AAD joined computer not working

Super Contributor

I've been trying to set up passwordless authentication to log into hybrid AADJ computers using a security key.  I've followed the documentation on how to set it up, but can't seem to get it working.  

I have a security key set up successfully as an authentication type in AzureAD, and can sign into Azure AD joined devices without issue.  I just can't seem to get it to work for logging in to Hybrid AADJ computers.  When I try to log on with a security key, I get an error:
Your credentials couldn't be verified (code: 0xc000006d,0x0)


Looking up that error code, it means "The cause is either a bad username or authentication information" 


I've also looked in the event logs under webauthn logs, and I see the failed Ctap GetAssertion steps, with the error "0x52E The username or password is incorrect." which seems roughly equivilant to the error above.  I don't know where to go from here though, I haven't found any particularly in depth troubleshooting on the process.  Any suggestions would be welcome. 



4 Replies
best response confirmed by Steve Whitcher (Super Contributor)
Circling back to share the solution - the account I was testing with was indirectly a member of a protected AD group. Members of protected groups are, by default, not allowed to use security key sign-on. After removing that membership, the security key sign-on works as expected.
I was going down a hole trying to figure this out too! There was nothing in the event logs either. Thank you, I can confirm this is what was causing my issue with this error under my account. I was being lazy and not using a test account/general user and made more work for myself in the end :-).
You saved my day!