Passwordless Authentication with FIDO2 Security Key for Remote Desktop Connection
Passwordless Authentication with FIDO2 Security Key for Remote Desktop Connection Hello Everyone, in this blog, we will explore how to use a FIDO2 security key to access a device using Remote Desktop Connection (RDP)—a Zero Trust approach where passwordless authentication is enforced. Recently, a customer asked me whether they could secure their device and enforce passwordless authentication for RDP access. While some FIDO2 security keys can also be used as smart cards with Certificate-Based Authentication (CBA), I will cover that topic in my next blog. In this post, let's focus on how we can use Windows 10/11, the RDPAAD (Remote Desktop Protocol Azure AD Protocol), and WebAuthn to connect to Entra ID-joined or Hybrid-joined devices using a FIDO2 security key. If a user has never used or registered a FIDO2 security key, they should register it by visiting My Sign-Ins, clicking on Security Info, and selecting Add sign-in method. Once the FIDO2 security key is registered, complete the sign-in process and ensure the user can successfully authenticate to web applications using the security key. Configuring RDP for Entra ID-Joined Devices: For Entra ID-joined devices, follow these steps to enable RDP access using a FIDO2 security key: Ensure the user is a member of the local Remote Desktop Users group on the remote device. o Open PowerShell as Administrator and load the Microsoft Graph PowerShell module to connect to Entra ID (if needed). o Run the following command to add the user to the Remote Desktop Users group: o net localgroup "Remote Desktop Users" /add "AzureAD\user200@farooquetech.in" We can validate the configuration by opening Computer Management and checking the Local Users and Groups settings: Open Computer Management (compmgmt.msc). Navigate to Local Users and Groups → Groups. Locate and open the Remote Desktop Users group. Check if the Entra ID user we added appears in the list. This confirms that the user has been successfully added and can sign-in to remote machine using RDP. At this point, we can open Remote Desktop Connection (mstsc.exe) and attempt to connect to the remote device. Open Remote Desktop Connection (mstsc.exe). Click on the Advanced tab. Under User Authentication, ensure we select "Use a web account to sign in to the remote computer." This ensures that the RDP session leverages passwordless authentication with FIDO2 and WebAuthn for secure access. Enter the NetBIOS name of the remote computer in Remote Desktop Connection (mstsc.exe) and click Connect. On the sign-in page, enter the Entra ID account for which FIDO2 Security Key authentication is enabled. When prompted to choose a passwordless authentication method, select Security Key. Insert your FIDO2 security key, follow the prompts, and complete the authentication process. This ensures a secure, passwordless RDP connection to the remote device. Put the PIN and also touch your finger on Security Key to complete authentication. A consent is prompt to allow RDP Connection, select Yes. Post Authentication, we will see the desktop successfully loads. Remote Desktop Connection Access to Hybrid Entra ID-Joined Devices: Now, let's discuss how to establish RDP access for Hybrid Entra ID-joined devices. The process for Hybrid-joined devices differs slightly because these devices are joined to both Active Directory (AD) and Entra ID. This means authentication must be validated in both directories. To achieve this, we need to register an Active Directory Read-Only Domain Controller (RODC) object in Entra ID. This RODC object helps issue a partial Kerberos Ticket Granting Ticket (TGT) to the user after authentication with Entra ID. Note: This RODC object is not linked to any on-premises AD domain controller—it is simply an empty object in Entra ID used to enable Kerberos authentication. Enabling Entra ID Kerberos Authentication: To enable Entra ID Kerberos authentication, follow these steps: Open PowerShell as Administrator. Install the AzureADKerberos module (if not already installed): Execute below powershell commands Import-module “Import-module "C:\Program Files\Microsoft Azure Active Directory Connect\AzureADKerberos\AzureAdKerberos.psd1" $domain = $env:USERDNSDOMAIN $userPrincipalName = admin@mngenvmcapXXX.onmicrosoft.com $domainCred = Get-Credential (Enter the Active Directory credentials) Once the command executes successfully, we can verify that the AzureADKerberos account has been created in Active Directory. Open Active Directory Users and Computer and under Domain Controller, check AzureADKerberos RODC object is created. This completes the AzureADKerberos configuration, enabling the use of FIDO2 Security Keys for authentication. Now, to establish an RDP connection, follow the same steps outlined earlier for Entra ID-joined devices. Enforcing Phishing-Resistant Passwordless Authentication for RDP: To ensure that Remote Desktop Protocol (RDP) always uses phishing-resistant passwordless authentication, we can enforce this through Conditional Access Policies in Entra ID. Sign in to the Entra ID portal. Go to Security → Conditional Access and create a new policy. Under Assignments, select the users or groups that require secure RDP access. In the Cloud apps or actions section, select “Microsoft Remote Desktop” with Application ID “a4a365df-50f1-4397-bc59-1a1564b8bb9c”. Under Grant Controls, choose Require authentication strength. Select Phishing-resistant authentication, which includes FIDO2 Security Keys Save and enable the policy. Note: For Hybrid Entra Joined machine, please ensure we do not use domain admin or any other AD high privileged account to logon else partial TGT will not be issued by Entra ID. I hope you found this blog helpful! In my next blog, I will cover how FIDO2 Security Keys can also be used for on-premises Active Directory domain-joined servers. Stay tuned!Seamless and Secure Access to Digital Healthcare Records with Microsoft Entra Suite
Healthcare professionals who dedicate their skills to saving lives must also manage operational and safety challenges inherent to their roles. If you’re in charge of cybersecurity for a healthcare organization, you’re intimately familiar with the need to comply with government healthcare regulations that, for example, require securing access to systems that house patient health information (PHI), are used for overseeing controlled substances, or are necessary to enable the secure consumption of AI. Every year, hundreds of U.S. healthcare institutions fall victim to ransomware attacks, resulting in network closures and critical systems going offline, not to mention delayed medical operations and appointments.[i] Sensitive healthcare systems are very attractive targets for cyberattacks and internal misuse. Many cybercriminals gain initial access by compromising identities. Thus, the first line of defense against bad actors, whether internal or external, is to protect identities and to closely govern access permissions based on Zero Trust principles: Verify explicitly. Confirm that the individual signing into a system used to electronically prescribe controlled substances is actually the care provider they say they are. Use least privilege access. Limit a care giver’s access to systems they need to use for their job Assume breach. Discover unauthorized access and block it before an adversary can deploy ransomware. This blog is the first in a series of how Microsoft Entra Suite and the power of cloud-based security tools can protect access to sensitive healthcare assets while improving the user experience for care teams and staff. On-premises healthcare applications and cloud-based security Some of the most widely adopted healthcare applications, such as electronic health records (EHRs), began decades ago as on-premises solutions that used LDAP (Lightweight Directory Access Protocol) and Active Directory to authenticate users. As enterprises shifted from on-premises networks protected by firewalls at the network perimeter to hybrid environments that enabled “anytime, anywhere access,” these solutions became vulnerable to attackers who gained unauthorized access to hospital networks via the Internet. Cloud-based security tools introduced advantages such as centralized visibility and control, continuous monitoring, automated threat detection and response, and advanced threat intelligence based on trillions of security signals. Many existing healthcare applications, however, didn’t support the new protocols necessary to take advantage of all these benefits. Over the past several years, Microsoft has worked closely with software vendors to integrate their applications with our comprehensive identity security platform, Entra ID—which is built on modern open security standards. As a result, many healthcare applications, including the most widely deployed EHR systems, can now benefit from the advanced security capabilities available through Microsoft Entra Suite, including single sign-on (SSO), multifactor authentication (MFA), Conditional Access, Identity Protection, and Network Protection. Securing access to healthcare applications with Microsoft Entra Suite Healthcare organizations can standardize on Microsoft Entra to enable single sign-on (SSO) to their most commonly used Healthcare applications and resources, including the most widely used EHR vendors, whether they’re on-premises or in clouds from Microsoft, Amazon, Google, or Oracle. Care teams, who may use dozens of different applications during their workday, benefit from seamless and secure access to all their resources with Microsoft’s built-in advanced identity and network security controls. Not only does Microsoft Entra offer a holistic view of all users and their access permissions, but it also employs a centralized access policy engine, called Conditional Access, that combines trillions of signals from multiple sources, including identities and devices, to detect anomalous user behavior, assess risk, and make real-time access and data protection decisions that adhere to regulatory mandates and Zero Trust principles. In simple terms, this enables controls that verify who a user is and what device they are using – including when using kiosks, remote, or many-to-one workstations - to decide if it is safe to enable access. This ability to support modern authentication successfully maps the clinicians to their cloud identity and in turn, unlocks powerful user-based models for data protection with Microsoft Purview. With Microsoft Entra, healthcare organizations can enforce MFA at the application level for more granular control. They can strengthen security by requiring phishing-resistant authentication for staff, contractors, and partners, and by evaluating device health before authorizing access to resources. They can even require additional verification steps for IT admins performing sensitive actions. Moreover, Microsoft Entra ID Protection processes a vast array of signals to identify suspicious behaviors that may indicate an identity compromise. It can raise risk levels to trigger risk-based Conditional Access policies that protect users and resources from unauthorized access. For more details about risk detections in Entra ID Protection, visit our documentation. Seamless and secure access for healthcare professionals Integrating applications with Microsoft Entra ID makes it possible for healthcare professionals to work more securely with fewer disruptions when they access medical records and treat patients, even when they’re working offsite, such as at a patient’s home or as part of a mobile medical unit. Microsoft Entra supports the strict protocols for electronic prescribing of controlled substances (EPCS). The EPCS mandate requires that healthcare providers authenticate their identities before they can prescribe controlled substances electronically. This means that each provider must have a unique user identity that can be verified through secure methods such as Multi-Factor Authentication (MFA). This helps prevent unauthorized access and ensures that only authorized individuals can issue prescriptions. The Health Insurance Portability and Accountability Act (HIPAA) also has specific obligations for access and identity to ensure the security and privacy of protected health information (PHI). Microsoft Entra Suite has a variety of controls to help meet these obligations that we will explore in additional blogs. Phishing-resistant authentication methods, which rely on biometrics and hardware tokens, significantly reduce the risk of unauthorized access to sensitive systems and data. These methods, which include passkeys, are practically impossible for cybercriminals to compromise, unlike passwords or SMS-based MFA. By eliminating passwords altogether, healthcare providers can better protect patient data, reduce the risk of violating HIPAA regulations, and prevent cyber and ransomware attacks that could disrupt healthcare operations. You can experience the benefits of Microsoft Entra ID, MFA, Conditional Access, and Entra ID Protection as part of the Microsoft Entra Suite, the industry’s most comprehensive Zero Trust access solution for the workforce. The Microsoft Entra Suite provides everything needed to verify users, prevent overprivileged permissions, improve detections, and enforce granular access controls for all users and resources. Get started with the Microsoft Entra Suite with a free 90-day trial. For additional details, please reach out to your Microsoft Representative. Read more on this topic Electronic Prescriptions for Controlled Substances (EPCS) - Azure Compliance | Microsoft Learn Conditional Access adaptive session lifetime policies - Microsoft Entra ID | Microsoft Learn Overview of Microsoft Entra authentication strength - Microsoft Entra ID | Microsoft Learn Microsoft Entra ID Epic Connector – Edgile Use data connectors to import and archive third-party data in Microsoft 365 | Microsoft Learn Learn more about Microsoft Entra Prevent identity attacks, ensure least privilege access, unify access controls, and improve the experience for users with comprehensive identity and network access solutions across on-premises and clouds. Microsoft Entra News and Insights | Microsoft Security Blog Microsoft Entra blog | Tech Community Microsoft Entra documentation | Microsoft Learn Microsoft Entra discussions | Microsoft Community [i] Microsoft Corporation. Microsoft Digital Defense Report 2024: The foundations and new frontiers of cybersecurity. p.3. Microsoft, October 2024.Onboard employees easily with Microsoft Entra Suite
Microsoft Entra Suite ensures workforce security from day one and streamlines employee onboarding with automated app and resource access and high-assurance identity verification. Follow as our product expert sets up new access package policies with Microsoft Entra ID Governance and leverages Face Check with Microsoft Entra Verified ID for high-assurance identity verification with entitlement management. This webinar is part of our series on How to secure and govern access for your employees with the Microsoft Entra Suite. Enjoy the other sessions in this series: Microsoft Entra Suite: Comprehensive Zero Trust user access at your fingertips Microsoft Entra Suite scenario deep dive: Goodbye, legacy VPNs; hello, secure access to on-premises resources Microsoft Entra Suite scenario deep dive: Secure access to internet resources with Microsoft Entra SuiteCamp kickoff: Unify access, maximize impact in the age of AI
Join us as we kick off the Summer Camp with a deep dive into the scenarios that the Microsoft Entra Suite will enable for your organization. Discover how bringing identity and network access together not only streamlines your Zero Trust architecture and reduces operational burdens but also drives measurable business outcomes. Our guest speakers, Forrester Analyst, Geoff Cairns and Senior Consultant at Forrester, Roger Nauth, will reveal exclusive findings from a commissioned Total Economic Impact™ study conducted by Forrester Consulting on behalf of Microsoft. We'll highlight how organizations are achieving significant cost savings, productivity boosts, and enhanced security by unifying access with the Microsoft Entra Suite. Speakers: Kaitlin Murphy, Forrester Analyst Geoff Cairns, Forrester Senior Consultant Roger Nauth, Laura Viarengo This session is part of the Microsoft Entra Suite Summer Camp.Securing employee access in the age of AI
How are security leaders evolving their strategies and investments to tackle novel security challenges and enable secure AI transformation? Join us for an insightful webinar where we delve into the findings of our latest research on "Secure Employee Access in the Age of AI". Walk away with a better understanding of the complexity of modern work environments and the expanding attack surface. We’ll also help you: Explore the impact of hybrid work and AI adoption on security needs and incidents. Learn about the importance of collaboration between identity and network teams for better security and efficiency. Gain actionable insights on unifying access management to reduce risk, improve operational efficiency, and enhance user experience. In addition to key insights on today’s security landscape, we’ll offer strategic recommendations to help you build a more resilient access strategy. Whether you're a security leader, IT professional, or business executive, you'll find valuable information to protect identities and secure access in your organization.
Update Entra ID Device Extension Attributes via PowerShell & Create Dynamic Security Groups.
2) Overview of Extension Attributes and Updating via PowerShell What Are Extension Attributes? Extension attributes (1–15) are predefined string fields available on Entra ID device objects. They are exposed to Microsoft Graph as the extensionAttributes property. These attributes can store custom values like department, environment tags (e.g., Prod, Dev), or ownership details. Why Use Them? Dynamic Group Membership: Use extension attributes in membership rules for security or Microsoft 365 groups. Policy Targeting: Apply Defender for Endpoint (MDE) policies, Conditional Access or Intune policies to devices based on custom tags. For details on configuration of the policies refer below documentation links. https://learn.microsoft.com/en-us/defender-endpoint/manage-security-policies https://learn.microsoft.com/en-us/intune/intune-service/ https://learn.microsoft.com/en-us/entra/identity/conditional-access/ Updating Extension Attributes via PowerShell and Graph API Use Microsoft Graph PowerShell to authenticate and update device properties. Required permission: “Device.ReadWrite.All”. 3) Using PowerShell to Update Extension Attributes create app registration in Entra ID with permissions Device.ReadWriteall and Grant admin Consent. Register an app How to register an app in Microsoft Entra ID - Microsoft identity platform | Microsoft Learn Graph API permissions Reference. For updating Entra ID device properties you need “Device.ReadWrite.all” permission and Intune administrator role to run the script. Microsoft Graph permissions reference - Microsoft Graph | Microsoft Learn Below is the script Important things to note and update the script with your custom values. a) update the path of the excel file in the script. column header is 'DeviceName' Note: You may want to use CSV instead of excel file if Excel is not available on the admin workstation running this process. b) update the credential details - tenantId,clientId & clientSecret in the script. Client id and client secret are created as a part of app registration. c) update the Externsionattribute and value in the script. This is the value of the extension attribute you want to use in dynamic membership rule creation. ___________________________________________________________________________ #Acquire token $tenantId = "xxxxxxxxxxxxxxxxxxxxx" $clientId = "xxxxxxxxxxxxxxxx" $clientSecret = "xxxxxxxxxxxxxxxxxxxx" $excelFilePath = "C:\Temp\devices.xlsx" # Update with actual path $tokenResponse = Invoke-RestMethod -Uri "https://login.microsoftonline.com/ $tenantId/oauth2/v2.0/token" -Method POST -Body $tokenBody $accessToken = $tokenResponse.access_token # Import Excel module and read device names Import-Module ImportExcel $deviceList = Import-Excel -Path $excelFilePath foreach ($device in $deviceList) { $deviceName = $device.DeviceName # Assumes column header is 'DeviceName' Get device ID by name $headers = @{ "Authorization" = "Bearer $accessToken"} $deviceLookupUri = "https://graph.microsoft.com/beta/devices?`$filter=displayName eq '$deviceName'" try { $deviceResponse = Invoke-RestMethod -Uri $deviceLookupUri -Headers $headers -Method GET } catch { Write-Host "Error querying device: $deviceName - $_" continue } if ($null -eq $deviceResponse.value -or $deviceResponse.value.Count -eq 0) { Write-Host "Device not found: $deviceName" continue } $deviceId = $deviceResponse.value[0].id # Prepare PATCH request $uri = "https://graph.microsoft.com/beta/devices/$deviceId" $headers["Content-Type"] = "application/json" $body = @{ extensionAttributes = @{ extensionAttribute6 = "MDE" } } | ConvertTo-Json -Depth 3 try { $response = Invoke-RestMethod -Uri $uri -Method Patch -Headers $headers -Body $body Write-Host "Updated device: $deviceName"} catch { Write-Host "Failed to update device: $deviceName - $_" } } Write-Host "Script execution completed." ________________________________________________________________________________________________________________________ Here’s a simple summary of what the script does: Gets an access token from Microsoft Entra ID using the app’s tenant ID, client ID, and client secret (OAuth 2.0 client credentials flow). Reads an Excel file (update the path in $excelFilePath, and ensure the column header is DeviceName) to get a list of device names. Loops through each device name from the Excel file: Calls Microsoft Graph API to find the device ID by its display name. If the device is found, sends a PATCH request to Microsoft Graph to update extensionAttribute6 with the value "MDE". Logs the result for each device (success or failure) and prints messages to the console. 4) Using Extension Attributes in Dynamic Device Groups Once extension attributes are set, you can create a dynamic security group in Entra ID: Go to Microsoft Entra admin center → Groups → New group. Select Security as the group type and choose Dynamic Device membership. Add a membership rule, for example: (device.extensionAttributes.extensionAttribute6 -eq "MDE") 4. Save the group. Devices with extensionAttribute6 = MDE will automatically join. 5) Summary Extension attributes in Entra ID allow custom tagging of devices for automation and policy targeting. You can update these attributes using Microsoft Graph PowerShell. These attributes can be used in dynamic device group rules, enabling granular MDE policies, Conditional Access and Intune deployments. Disclaimer This script is provided "as-is" without any warranties or guarantees. It is intended for educational and informational purposes only. Microsoft and the author assume no responsibility for any issues that may arise from the use or misuse of this script. Before deploying in a production environment, thoroughly test the script in a controlled setting and review it for compliance with your organization's security and operational policies.
Intune bulk enrollment issue with package
Hello, We are encountering an issue while trying to enroll a device in Microsoft Intune within a Windows 10/11 workgroup environment. Using Windows Configuration Designer, we created a provisioning package for device enrollment. However, after executing the package on the device, we observe the following error in the Event Viewer under: Applications and Services Logs>Microsoft>Windows>DeviceManagement-Enterprise-Diagnostics-Provider>Admin: MDM ConfigurationManager: Command failure status. Configuration Source ID: (fb5b5ed2-b681-475c-bb21-c31762a5953d), Enrollment Name: (Provisioning), Provider Name: (AADJ), Command Type: (SetValue: from Replace), CSP URI: (./Vendor/MSFT/AADJ/BPRT), Result: (Unknown Win32 Error code: 0xcaa2000c). Additionally, when reviewing the Entra Audit logs, we notice that the device gets registered but is immediately unregistered. Could someone help us identify the root cause of this issue or suggest steps to resolve it? Thank youHybrid joined devices - convert to entra Joined
how to convert/migrate +5.000 devices/laptops from Hybrid joined devices to Entra joined Only devices (the users are not in scope) - so this is all about the devices and to get this working within a existing infrastructure. Or can someone confirm there's no conversion path for hybrid joined devices to Entra join only?
