Expanding Azure Active Directory support for FIDO2 preview to hybrid environments
Published Nov 05 2019 05:30 AM 28.6K Views
Microsoft

Update 05.06.2020:  For an update on the scenarios discussed in this post, see Alex Simons' February 2020 post, Public preview of Azure AD support for FIDO2 security keys in hybrid environments.


We’re expanding the public preview of FIDO2 security key support in Azure Active Directory (Azure AD) to hybrid environments, enabling even more customers to take an important step in their journey towards passwordless environments.

Industry research has shown that the majority of cyberattacks and breaches leverage compromised usernames and passwords. Microsoft has been on a journey to eliminate the use of passwords by introducing strong, secure, and easy-to-use alternative credentials like FIDO2 security keys. These credentials provide stronger authentication than passwords as they leverage asymmetric public key cryptography, are not reusable, and are resistant to phishing attacks.

Just a few months back, we announced the public preview for enterprise customers that have cloud only environments, enabling sign-in to Windows 10 devices using FIDO2 security keys and getting single sign-on (SSO) to cloud resources. A lot of customers eagerly tried it out and gave a great deal of feedback, but one piece of feedback stood out: the need for FIDO2 support in hybrid environments.

Today, we’re thrilled to share that, early next year, enterprises with hybrid environments can enable passwordless authentication using FIDO2 security keys for Azure Active Directory-Joined (Azure AD Joined) and Hybrid Azure AD-Joined Windows 10 devices and get a SSO experience for their cloud and on-premises resources!

aabha-login.jpg

The expansion of Azure AD support for FIDO2 to hybrid environments has been a huge collaboration effort across various teams within Microsoft and we’re proud to be delivering milestones like this that leap forward in our quest to make the passwordless world a reality. The preview of this new capability will be available in early 2020 and we will update this blog with instructions on how to get started, so watch this space.

This is part of a company-wide effort to eliminate passwords. For example, with the FIDO2 certification of Windows Hello, Microsoft is putting the 900 million people who use Windows 10 one step closer to a world without passwords. And, as announced at Microsoft Ignite, new updates in Azure Active Directory, include innovations that directly empower customers in their evolution towards more secure, passowordless environments.

For resources on the benefits of passwordless, as well as solutions and strategies to help you in your own journey, visit aka.ms/gopasswordless.

15 Comments
Iron Contributor

Excellent news, really looking forward to trying this out as soon as possible! :)

Iron Contributor

This is wonderful news :) Cannot wait until this becomes available in our tenant. On to a passwordless world!

Brass Contributor

Will this require Hybrid Windows Hello for Business?

Copper Contributor
Will this be in Windows 10 20H1? How can I try this?
Copper Contributor

Are there any plans to support FIDO U2F? Asking because Google and others do it and from a key perspective (Let's take into consideration the Yubikey FIPS series which work completely offline), for Microsoft, it needs an authenticator app but not for other platforms like Google/Facebook which seems to be a bummer. The available options then become to install these separate applications (very difficult in secure facilities) or upgrade all the keys to which support FIDO2.

Brass Contributor

@Aabha Thipsay  can you please let us know whats the timeline for this to be in preview. We are eagerly waiting to test this.  Our devices are Hybrid AADj 

Copper Contributor

I was also hoping to get an update on this timeline.   Lot's of interest in working with FIDO2 but most of the folks in my area have hybrid joined devices.  

 

Thanks @Aabha Thipsay for this post,  I keep checking this blog post hoping for an update,  any chance you could give us a bit of an idea for the roadmap?

 

Copper Contributor

Have we got a firmer date on when this is likely to land as we're very interested in the hybrid device joined support, are there any private pilots programs we can join for this.

Have customer very interested in testing this out.  Timeline update for private preview yet?

Iron Contributor

It’s a shame to see no interaction from MS staff on this. I’ve however seen comment on Twitter that it’s basically feature complete now, and waiting on Windows 20H1, so I guess that must mean a April release is planned.

Microsoft

FIDO2 support for Hybrid Environments is now available in Public Preview. For more details, visit https://techcommunity.microsoft.com/t5/azure-active-directory-identity/public-preview-of-azure-ad-su...

Microsoft

@Steve Prentice Apologies for the delay in response on this thread. We are in public preview for this feature now https://techcommunity.microsoft.com/t5/azure-active-directory-identity/public-preview-of-azure-ad-su... 

Copper Contributor

When does Microsoft expect passwordless sign-in with security key to go GA? 

In my tests it worked really well. But we need the NFC/USB keys to work with iOS, Android and macOS. Right now it's not possible to require the user to use a security key, that would be awesome! 

Have customer testing with windows devices today and would like to know if the roadmap has a timeline for mobile and Linux devices?

 

Brass Contributor

I second @Matt DeDobbelaere's question. My organisation is deploying FIDO2 hardware keys, but we need mobile (Android and iOS) support. Would be very appreciative of any timeline on this.

Version history
Last update:
‎May 06 2020 03:38 PM
Updated by: