Passwordless Authentication with FIDO2 Security Key for Remote Desktop Connection
Passwordless Authentication with FIDO2 Security Key for Remote Desktop Connection Hello Everyone, in this blog, we will explore how to use a FIDO2 security key to access a device using Remote Desktop Connection (RDP)—a Zero Trust approach where passwordless authentication is enforced. Recently, a customer asked me whether they could secure their device and enforce passwordless authentication for RDP access. While some FIDO2 security keys can also be used as smart cards with Certificate-Based Authentication (CBA), I will cover that topic in my next blog. In this post, let's focus on how we can use Windows 10/11, the RDPAAD (Remote Desktop Protocol Azure AD Protocol), and WebAuthn to connect to Entra ID-joined or Hybrid-joined devices using a FIDO2 security key. If a user has never used or registered a FIDO2 security key, they should register it by visiting My Sign-Ins, clicking on Security Info, and selecting Add sign-in method. Once the FIDO2 security key is registered, complete the sign-in process and ensure the user can successfully authenticate to web applications using the security key. Configuring RDP for Entra ID-Joined Devices: For Entra ID-joined devices, follow these steps to enable RDP access using a FIDO2 security key: Ensure the user is a member of the local Remote Desktop Users group on the remote device. o Open PowerShell as Administrator and load the Microsoft Graph PowerShell module to connect to Entra ID (if needed). o Run the following command to add the user to the Remote Desktop Users group: o net localgroup "Remote Desktop Users" /add "AzureAD\user200@farooquetech.in" We can validate the configuration by opening Computer Management and checking the Local Users and Groups settings: Open Computer Management (compmgmt.msc). Navigate to Local Users and Groups → Groups. Locate and open the Remote Desktop Users group. Check if the Entra ID user we added appears in the list. This confirms that the user has been successfully added and can sign-in to remote machine using RDP. At this point, we can open Remote Desktop Connection (mstsc.exe) and attempt to connect to the remote device. Open Remote Desktop Connection (mstsc.exe). Click on the Advanced tab. Under User Authentication, ensure we select "Use a web account to sign in to the remote computer." This ensures that the RDP session leverages passwordless authentication with FIDO2 and WebAuthn for secure access. Enter the NetBIOS name of the remote computer in Remote Desktop Connection (mstsc.exe) and click Connect. On the sign-in page, enter the Entra ID account for which FIDO2 Security Key authentication is enabled. When prompted to choose a passwordless authentication method, select Security Key. Insert your FIDO2 security key, follow the prompts, and complete the authentication process. This ensures a secure, passwordless RDP connection to the remote device. Put the PIN and also touch your finger on Security Key to complete authentication. A consent is prompt to allow RDP Connection, select Yes. Post Authentication, we will see the desktop successfully loads. Remote Desktop Connection Access to Hybrid Entra ID-Joined Devices: Now, let's discuss how to establish RDP access for Hybrid Entra ID-joined devices. The process for Hybrid-joined devices differs slightly because these devices are joined to both Active Directory (AD) and Entra ID. This means authentication must be validated in both directories. To achieve this, we need to register an Active Directory Read-Only Domain Controller (RODC) object in Entra ID. This RODC object helps issue a partial Kerberos Ticket Granting Ticket (TGT) to the user after authentication with Entra ID. Note: This RODC object is not linked to any on-premises AD domain controller—it is simply an empty object in Entra ID used to enable Kerberos authentication. Enabling Entra ID Kerberos Authentication: To enable Entra ID Kerberos authentication, follow these steps: Open PowerShell as Administrator. Install the AzureADKerberos module (if not already installed): Execute below powershell commands Import-module “Import-module "C:\Program Files\Microsoft Azure Active Directory Connect\AzureADKerberos\AzureAdKerberos.psd1" $domain = $env:USERDNSDOMAIN $userPrincipalName = admin@mngenvmcapXXX.onmicrosoft.com $domainCred = Get-Credential (Enter the Active Directory credentials) Once the command executes successfully, we can verify that the AzureADKerberos account has been created in Active Directory. Open Active Directory Users and Computer and under Domain Controller, check AzureADKerberos RODC object is created. This completes the AzureADKerberos configuration, enabling the use of FIDO2 Security Keys for authentication. Now, to establish an RDP connection, follow the same steps outlined earlier for Entra ID-joined devices. Enforcing Phishing-Resistant Passwordless Authentication for RDP: To ensure that Remote Desktop Protocol (RDP) always uses phishing-resistant passwordless authentication, we can enforce this through Conditional Access Policies in Entra ID. Sign in to the Entra ID portal. Go to Security → Conditional Access and create a new policy. Under Assignments, select the users or groups that require secure RDP access. In the Cloud apps or actions section, select “Microsoft Remote Desktop” with Application ID “a4a365df-50f1-4397-bc59-1a1564b8bb9c”. Under Grant Controls, choose Require authentication strength. Select Phishing-resistant authentication, which includes FIDO2 Security Keys Save and enable the policy. Note: For Hybrid Entra Joined machine, please ensure we do not use domain admin or any other AD high privileged account to logon else partial TGT will not be issued by Entra ID. I hope you found this blog helpful! In my next blog, I will cover how FIDO2 Security Keys can also be used for on-premises Active Directory domain-joined servers. Stay tuned!New innovations in Microsoft Entra to strengthen AI security and identity protection
AI is changing security, and Microsoft is helping you stay ahead. Discover how we’re helping you manage identity risks, optimize policies, and secure AI applications with Microsoft Entra and Security Copilot—so you can move forward with confidence.Seamless and Secure Access to Digital Healthcare Records with Microsoft Entra Suite
Healthcare professionals who dedicate their skills to saving lives must also manage operational and safety challenges inherent to their roles. If you’re in charge of cybersecurity for a healthcare organization, you’re intimately familiar with the need to comply with government healthcare regulations that, for example, require securing access to systems that house patient health information (PHI), are used for overseeing controlled substances, or are necessary to enable the secure consumption of AI. Every year, hundreds of U.S. healthcare institutions fall victim to ransomware attacks, resulting in network closures and critical systems going offline, not to mention delayed medical operations and appointments.[i] Sensitive healthcare systems are very attractive targets for cyberattacks and internal misuse. Many cybercriminals gain initial access by compromising identities. Thus, the first line of defense against bad actors, whether internal or external, is to protect identities and to closely govern access permissions based on Zero Trust principles: Verify explicitly. Confirm that the individual signing into a system used to electronically prescribe controlled substances is actually the care provider they say they are. Use least privilege access. Limit a care giver’s access to systems they need to use for their job Assume breach. Discover unauthorized access and block it before an adversary can deploy ransomware. This blog is the first in a series of how Microsoft Entra Suite and the power of cloud-based security tools can protect access to sensitive healthcare assets while improving the user experience for care teams and staff. On-premises healthcare applications and cloud-based security Some of the most widely adopted healthcare applications, such as electronic health records (EHRs), began decades ago as on-premises solutions that used LDAP (Lightweight Directory Access Protocol) and Active Directory to authenticate users. As enterprises shifted from on-premises networks protected by firewalls at the network perimeter to hybrid environments that enabled “anytime, anywhere access,” these solutions became vulnerable to attackers who gained unauthorized access to hospital networks via the Internet. Cloud-based security tools introduced advantages such as centralized visibility and control, continuous monitoring, automated threat detection and response, and advanced threat intelligence based on trillions of security signals. Many existing healthcare applications, however, didn’t support the new protocols necessary to take advantage of all these benefits. Over the past several years, Microsoft has worked closely with software vendors to integrate their applications with our comprehensive identity security platform, Entra ID—which is built on modern open security standards. As a result, many healthcare applications, including the most widely deployed EHR systems, can now benefit from the advanced security capabilities available through Microsoft Entra Suite, including single sign-on (SSO), multifactor authentication (MFA), Conditional Access, Identity Protection, and Network Protection. Securing access to healthcare applications with Microsoft Entra Suite Healthcare organizations can standardize on Microsoft Entra to enable single sign-on (SSO) to their most commonly used Healthcare applications and resources, including the most widely used EHR vendors, whether they’re on-premises or in clouds from Microsoft, Amazon, Google, or Oracle. Care teams, who may use dozens of different applications during their workday, benefit from seamless and secure access to all their resources with Microsoft’s built-in advanced identity and network security controls. Not only does Microsoft Entra offer a holistic view of all users and their access permissions, but it also employs a centralized access policy engine, called Conditional Access, that combines trillions of signals from multiple sources, including identities and devices, to detect anomalous user behavior, assess risk, and make real-time access and data protection decisions that adhere to regulatory mandates and Zero Trust principles. In simple terms, this enables controls that verify who a user is and what device they are using – including when using kiosks, remote, or many-to-one workstations - to decide if it is safe to enable access. This ability to support modern authentication successfully maps the clinicians to their cloud identity and in turn, unlocks powerful user-based models for data protection with Microsoft Purview. With Microsoft Entra, healthcare organizations can enforce MFA at the application level for more granular control. They can strengthen security by requiring phishing-resistant authentication for staff, contractors, and partners, and by evaluating device health before authorizing access to resources. They can even require additional verification steps for IT admins performing sensitive actions. Moreover, Microsoft Entra ID Protection processes a vast array of signals to identify suspicious behaviors that may indicate an identity compromise. It can raise risk levels to trigger risk-based Conditional Access policies that protect users and resources from unauthorized access. For more details about risk detections in Entra ID Protection, visit our documentation. Seamless and secure access for healthcare professionals Integrating applications with Microsoft Entra ID makes it possible for healthcare professionals to work more securely with fewer disruptions when they access medical records and treat patients, even when they’re working offsite, such as at a patient’s home or as part of a mobile medical unit. Microsoft Entra supports the strict protocols for electronic prescribing of controlled substances (EPCS). The EPCS mandate requires that healthcare providers authenticate their identities before they can prescribe controlled substances electronically. This means that each provider must have a unique user identity that can be verified through secure methods such as Multi-Factor Authentication (MFA). This helps prevent unauthorized access and ensures that only authorized individuals can issue prescriptions. The Health Insurance Portability and Accountability Act (HIPAA) also has specific obligations for access and identity to ensure the security and privacy of protected health information (PHI). Microsoft Entra Suite has a variety of controls to help meet these obligations that we will explore in additional blogs. Phishing-resistant authentication methods, which rely on biometrics and hardware tokens, significantly reduce the risk of unauthorized access to sensitive systems and data. These methods, which include passkeys, are practically impossible for cybercriminals to compromise, unlike passwords or SMS-based MFA. By eliminating passwords altogether, healthcare providers can better protect patient data, reduce the risk of violating HIPAA regulations, and prevent cyber and ransomware attacks that could disrupt healthcare operations. You can experience the benefits of Microsoft Entra ID, MFA, Conditional Access, and Entra ID Protection as part of the Microsoft Entra Suite, the industry’s most comprehensive Zero Trust access solution for the workforce. The Microsoft Entra Suite provides everything needed to verify users, prevent overprivileged permissions, improve detections, and enforce granular access controls for all users and resources. Get started with the Microsoft Entra Suite with a free 90-day trial. For additional details, please reach out to your Microsoft Representative. Read more on this topic Electronic Prescriptions for Controlled Substances (EPCS) - Azure Compliance | Microsoft Learn Conditional Access adaptive session lifetime policies - Microsoft Entra ID | Microsoft Learn Overview of Microsoft Entra authentication strength - Microsoft Entra ID | Microsoft Learn Microsoft Entra ID Epic Connector – Edgile Use data connectors to import and archive third-party data in Microsoft 365 | Microsoft Learn Learn more about Microsoft Entra Prevent identity attacks, ensure least privilege access, unify access controls, and improve the experience for users with comprehensive identity and network access solutions across on-premises and clouds. Microsoft Entra News and Insights | Microsoft Security Blog Microsoft Entra blog | Tech Community Microsoft Entra documentation | Microsoft Learn Microsoft Entra discussions | Microsoft Community [i] Microsoft Corporation. Microsoft Digital Defense Report 2024: The foundations and new frontiers of cybersecurity. p.3. Microsoft, October 2024.Upgrade performance, availability and security with new features in Azure Database for PostgreSQL
At Microsoft Build 2025 the Postgres on Azure team is announcing an exciting set of improvements and features for Azure Database for PostgreSQL. One area we are always focused on is the enterprise. This week we are delighted to announce improvements across the enterprise pillars of Performance, Availability and Security. In addition, we're improving Integration of Postgres workloads with services like ADF and Fabric. Here's a quick tour of the enterprise enhancements to Azure Database for PostgreSQL being announced this week. Performance and scale SSD v2 with HA support - Public Preview The public preview of zone-redundant high availability (HA) support for the Premium SSD v2 storage tier with Azure Database for PostgreSQL flexible server is now available. You can now enable High Availability with zone redundancy using Azure Premium SSD v2 when deploying flexible server, helping you achieve a Recovery Point Objective (RPO) of zero for mission-critical workloads. Premium SSD v2 offers sub-millisecond latency and outstanding performance at a low cost, making it ideal for IO-intensive, enterprise-grade workloads. With this update, you can significantly boost the price-performance of your PostgreSQL deployments on Azure and improve availability with reduced downtime during HA failover. The key benefits of SSD v2 include: Flexible disk sizing from 1 GiB to 64 TiB, with 1-GiB increment support Independent performance configuration: scale up to 80,000 IOPS and 1,200 MBps throughput without needing to provision larger disks To learn more about how to upgrade and best practices, visit: Premium SSDv2 PostgreSQL 17 Major Version Upgrade – Public Preview PostgreSQL version 17 brings a host of performance improvements, including a more efficient VACUUM process, faster sequential scans via streaming IO, and optimized query execution. Now, with the public preview of in-place major version upgrades to PostgreSQL 17 there is an easier path to v17 for your existing flexible server workloads. With this release, you can upgrade from earlier versions (14, 15, or 16) to PostgreSQL 17 without the need to migrate data or change server endpoints, simplifying the upgrade process and minimizing downtime. Azure’s in-place upgrade capability offers a native, low-disruption upgrade path directly from the Azure Portal or CLI. For upgrade steps and best practices, check out our detailed blog post. Availability Long-Term Backup (LTR) for Azure Database for PostgreSQL flexible server - Generally Available Long-term backups are essential for organizations with regulatory, compliance, and audit-driven requirements, especially in industries like finance and healthcare. Certifications such as HIPAA often mandate data retention periods up to 10 years, far exceeding the default 35-day retention limit provided by point-in-time restore (PITR) capabilities. Long-term backup for Azure Database for PostgreSQL flexible server, powered by Azure Backup is now generally available. With this release, you can now benefit from: Policy-driven, one-click enablement of long-term backups Resilient data retention across Azure Storage tiers Consumption-based pricing with no egress charges Support for restoring backups well beyond community-supported PostgreSQL versions This LTR capability uses a logical backup approach based on pg_dump and pg_restore, offering a flexible, open-source format that enhances portability and ensures your data can be restored across a variety of environments including Azure VMs, on-premises, or even other cloud providers. Learn more about long term retention: Backup and restore - Azure Database for PostgreSQL flexible server Azure Databases for PostgreSQL flexible server Resiliency Solution accelerator When it comes to ensuring business continuity, your database infrastructure is the most critical component. In addition to product documentation, it is important to have access to opinionated solution architecture, industry-proven recommended practices, and deployable infra-as-code that you can learn and customize to ensure an automated production-ready resilient infrastructure for your data. The Azure Database for PostgreSQL Resiliency Solution Accelerator is now available, providing a set of deployable architectures to ensure business continuity, minimize downtime, and protect data integrity during planned and unplanned events. In additional to architecture and recommended practices, a customizable Terraform deployment workflow is provided. Learn more: Azure Database for PostgreSQL Resiliency Solution Accelerator Security Automatic Customer Managed Key (CMK) version updates - Generally Available Azure Database for PostgreSQL flexible server data is fully encrypted, supporting both Service Managed and Customer Managed encryption keys (CMK). Automatic version updates for CMK (also known as “versionless keys”) is now generally available. This change simplifies the key lifecycle management by allowing PostgreSQL to automatically adopt new keys without needing manual updates. Combined with Azure Key Vault's auto-rotation feature this significantly reduces the management overhead of encryption key maintenance. Learn more about automatic CMK version updates. Azure confidential computing SKUs for flexible server - Public Preview Azure confidential computing enables secure sensitive and regulated data, preventing unwanted access of data in-use, by cloud providers, administrators, or external users. With the public preview of Azure confidential SKUs for Azure Database for PostgreSQL flexible server you can now select from a range of Confidential Computing VM sizes to run your PostgreSQL workloads in a hardware-based trusted execution environment (TEE). Azure confidential computing encrypts data in TEE, processing data in a verified environment, enabling you to securely process workloads while meeting compliance and regulatory demands. Learn more about confidential computing with the Azure Database for flexible server. Integration Entra Authentication for Azure Data Factory & Azure Synapse - Generally Available In an era of bring-your-own-device and cloud-enabled apps it is increasingly important for enterprises to maintain central control an identity-based security perimeter. With integrated Entra ID support, Azure Database for PostgreSQL flexible server allows you to bring your database workloads within this perimeter. But how do you securely connect to other services? Entra ID authentication is now supported in the Azure Data Factory and Azure Synapse connectors for Azure Database for PostgreSQL. This feature enables seamless, secure connectivity using Service Principal (key or certificate) and both User-Assigned and System-Assigned Managed Identities, streamlining access to your data pipelines and analytics workloads. Learn more about How to Connect from Azure Data Factory and Synapse Analytics to Azure Database for PostgreSQL. Fabric Data Factory – Upsert Method & Script Activity - Generally Available The Microsoft Fabric has become to go-to data analytics platform with services and tools for every data lifecycle state. To improve customization and fine-grained control over processing of PostgreSQL data, the Upsert Method and custom Script Activity are now generally available in Fabric Data Factory when using Azure Database for PostgreSQL as a source or sink. Upsert Method enables intelligent insert-or-update logic for PostgreSQL, making it easier to handle incremental data loads and change data capture (CDC) scenarios without complex workarounds. Script Activity allows you to embed and execute your own SQL scripts directly within pipelines—ideal for advanced transformations, procedural logic, and fine-grained control over data operations. These capabilities offer enhanced flexibility for building robust, enterprise-grade data workflows, simplifying your ETL processes. Connect to VS Code from the Azure Portal - Public Preview With the exciting announcement of a revamped VS Code PostgreSQL extension preview this week, we're adding a new connection option to the Azure Portal to connect to your flexible server with VS Code, creating a more unified and efficient developer experience. Here's why it matters: One Click Connectivity: No manual connection strings or configuration needed. Faster Onboarding: Go from provisioning a database in Azure to exploring and managing it in VS Code within seconds. Integrated Workflow: Manage infrastructure and development from a single, cohesive environment. Productivity: Connect directly from the Portal to leverage VS Code extension features like query editing, result views, and schema browsing. Where to learn more The Build 2025 announcements this week are just the latest in a compelling set of features delivered by the Azure Database for PostgreSQL team and build on our latest set of monthly feature updates (see: April 2025 Recap: Azure Database for PostgreSQL Flexible Server). Follow the Azure Database for PostgreSQL Blog where you'll see many of the latest updates from Build, including What's New with PostgreSQL @Build, and New Generative AI Features in Azure Database for PostgreSQL.
