Passwordless Authentication with FIDO2 Security Key for Remote Desktop Connection
Passwordless Authentication with FIDO2 Security Key for Remote Desktop Connection Hello Everyone, in this blog, we will explore how to use a FIDO2 security key to access a device using Remote Desktop Connection (RDP)—a Zero Trust approach where passwordless authentication is enforced. Recently, a customer asked me whether they could secure their device and enforce passwordless authentication for RDP access. While some FIDO2 security keys can also be used as smart cards with Certificate-Based Authentication (CBA), I will cover that topic in my next blog. In this post, let's focus on how we can use Windows 10/11, the RDPAAD (Remote Desktop Protocol Azure AD Protocol), and WebAuthn to connect to Entra ID-joined or Hybrid-joined devices using a FIDO2 security key. If a user has never used or registered a FIDO2 security key, they should register it by visiting My Sign-Ins, clicking on Security Info, and selecting Add sign-in method. Once the FIDO2 security key is registered, complete the sign-in process and ensure the user can successfully authenticate to web applications using the security key. Configuring RDP for Entra ID-Joined Devices: For Entra ID-joined devices, follow these steps to enable RDP access using a FIDO2 security key: Ensure the user is a member of the local Remote Desktop Users group on the remote device. o Open PowerShell as Administrator and load the Microsoft Graph PowerShell module to connect to Entra ID (if needed). o Run the following command to add the user to the Remote Desktop Users group: o net localgroup "Remote Desktop Users" /add "AzureAD\user200@farooquetech.in" We can validate the configuration by opening Computer Management and checking the Local Users and Groups settings: Open Computer Management (compmgmt.msc). Navigate to Local Users and Groups → Groups. Locate and open the Remote Desktop Users group. Check if the Entra ID user we added appears in the list. This confirms that the user has been successfully added and can sign-in to remote machine using RDP. At this point, we can open Remote Desktop Connection (mstsc.exe) and attempt to connect to the remote device. Open Remote Desktop Connection (mstsc.exe). Click on the Advanced tab. Under User Authentication, ensure we select "Use a web account to sign in to the remote computer." This ensures that the RDP session leverages passwordless authentication with FIDO2 and WebAuthn for secure access. Enter the NetBIOS name of the remote computer in Remote Desktop Connection (mstsc.exe) and click Connect. On the sign-in page, enter the Entra ID account for which FIDO2 Security Key authentication is enabled. When prompted to choose a passwordless authentication method, select Security Key. Insert your FIDO2 security key, follow the prompts, and complete the authentication process. This ensures a secure, passwordless RDP connection to the remote device. Put the PIN and also touch your finger on Security Key to complete authentication. A consent is prompt to allow RDP Connection, select Yes. Post Authentication, we will see the desktop successfully loads. Remote Desktop Connection Access to Hybrid Entra ID-Joined Devices: Now, let's discuss how to establish RDP access for Hybrid Entra ID-joined devices. The process for Hybrid-joined devices differs slightly because these devices are joined to both Active Directory (AD) and Entra ID. This means authentication must be validated in both directories. To achieve this, we need to register an Active Directory Read-Only Domain Controller (RODC) object in Entra ID. This RODC object helps issue a partial Kerberos Ticket Granting Ticket (TGT) to the user after authentication with Entra ID. Note: This RODC object is not linked to any on-premises AD domain controller—it is simply an empty object in Entra ID used to enable Kerberos authentication. Enabling Entra ID Kerberos Authentication: To enable Entra ID Kerberos authentication, follow these steps: Open PowerShell as Administrator. Install the AzureADKerberos module (if not already installed): Execute below powershell commands Import-module “Import-module "C:\Program Files\Microsoft Azure Active Directory Connect\AzureADKerberos\AzureAdKerberos.psd1" $domain = $env:USERDNSDOMAIN $userPrincipalName = admin@mngenvmcapXXX.onmicrosoft.com $domainCred = Get-Credential (Enter the Active Directory credentials) Once the command executes successfully, we can verify that the AzureADKerberos account has been created in Active Directory. Open Active Directory Users and Computer and under Domain Controller, check AzureADKerberos RODC object is created. This completes the AzureADKerberos configuration, enabling the use of FIDO2 Security Keys for authentication. Now, to establish an RDP connection, follow the same steps outlined earlier for Entra ID-joined devices. Enforcing Phishing-Resistant Passwordless Authentication for RDP: To ensure that Remote Desktop Protocol (RDP) always uses phishing-resistant passwordless authentication, we can enforce this through Conditional Access Policies in Entra ID. Sign in to the Entra ID portal. Go to Security → Conditional Access and create a new policy. Under Assignments, select the users or groups that require secure RDP access. In the Cloud apps or actions section, select “Microsoft Remote Desktop” with Application ID “a4a365df-50f1-4397-bc59-1a1564b8bb9c”. Under Grant Controls, choose Require authentication strength. Select Phishing-resistant authentication, which includes FIDO2 Security Keys Save and enable the policy. Note: For Hybrid Entra Joined machine, please ensure we do not use domain admin or any other AD high privileged account to logon else partial TGT will not be issued by Entra ID. I hope you found this blog helpful! In my next blog, I will cover how FIDO2 Security Keys can also be used for on-premises Active Directory domain-joined servers. Stay tuned!Setting up Microsoft Entra Verified ID, step by step
Are you confident who the people in your organization are interacting with online? Identity verification is fundamental in protecting your organization from impersonation. Get the knowledge you need to bring strong identity verification to your organization and improve confidence that digital interactions are safe and secure. The Microsoft Entra Verified ID team will kick off with a comprehensive understanding of how to set up Verified ID. We'll walk through key concepts, including Verified ID's significance in enhancing digital identity, security, and trust. Then we'll show you how to configure your environment, set up and issue your first credential, and use the Microsoft Entra admin center to manage credentials across your organization. This session is part of the Microsoft Entra Verified ID webinar series.[On demand] Never trust, always verify: Tips for Zero Trust with Intune
Get tips on how to leverage the latest automation and tooling in Microsoft Intune to enforce security policies that require healthy, compliant devices before access to apps and data is granted. Watch Never trust, always verify: Tips for Zero Trust with Intune – now on demand – and join the conversation at https://aka.ms/AlwaysVerify. To help you learn more, here are the links referenced in the session: Zero Trust Workshop Microsoft Zero Trust Microsoft Cybersecurity Reference Architectures For more free technical skilling on the latest in Windows, Windows in the cloud, and Microsoft Intune, view the full Microsoft Technical Takeoff session list.Kick Start Your Security Learning with a 7-lesson, Open-Source Course
This course is designed to teach you fundamental cyber security concepts to kick start your security learning. It is vendor agnostic and is divided into small lessons that should take around 30-60 mins to complete. Each lesson has a small quiz and links to further reading if you want to dive into the topic a bit more.Unlock Your Cybersecurity Potential: Explore the Security-101 Curriculum!
In our interconnected world, cybersecurity is no longer a luxury—it’s a necessity. Whether you’re a seasoned IT professional or a curious enthusiast, understanding the fundamentals of security is crucial. Today, I’m thrilled to introduce you to a treasure trove of knowledge: the Security-101repository. What Is Security-101? The Security-101 repository, hosted on GitHub, is your gateway to mastering cybersecurity essentials. Developed by experts at Microsoft, this curriculum is designed to be accessible, practical, and engaging. Why Should You Explore Security-101? Foundational Knowledge: Whether you’re new to the field or need a refresher, Security-101 covers the basics. From the CIA Triad (Confidentiality, Integrity, and Availability) to risk management, you’ll gain a solid understanding. Vendor-Agnostic Approach: No product pitches here! Security-101 focuses on principles rather than specific tools. It’s like learning to drive before choosing a car. Learn at Your Own Pace: Each lesson takes just 30-60 minutes. Perfect for busy professionals or those eager to improve during lunch breaks. Interactive Quizzes: Test your knowledge after each lesson. Reinforce what you’ve learned and track your progress. You can utilize the following study plan for mastering the cybersecurity concepts covered in the Security-101 repository or come up with a self-pace study plan. Week Topic Subtopics Activities Week 1 Foundations and Basics CIA triad (Confidentiality, Integrity, Availability) Risks vs. Threats Security control concepts Read lessons on Foundational concepts. Take quizzes. Week 2 Zero Trust Architecture Zero trust model IAM in Zero trust Networking in Zero Trust Explore zero trust principles. Review related materials. Week 3 Security Operations (SecOps) Security incident response Security monitoring Security automation Study SecOps Concepts Complete quizzes Week 4 Application Security (AppSec) Secure Coding practices Web application security Secure software development Dive into AppSec topics. Week 5 Data Security Data encryption Data classification Data loss Understand data security. Take quizzes. Call to Action: Explore Security-101 Today! Here’s how you can engage: Visit the repository: Head over to the Security-101 repository. Star and bookmark it—you’ll want to return! Start with Lesson 1: Begin with the first lesson. Whether you’re sipping coffee or waiting for a code build, invest that time in your growth. Share with Peers: Spread the word! Tell your colleagues, friends, and fellow tech enthusiasts. Let’s build a community of security-conscious learners. Conclusion Security isn’t an afterthought; it’s woven into every digital interaction. By exploring Security-101, you’re not just learning—you’re empowering yourself to protect data, systems, and people. Learning about Security is an essential step for anyone looking to protect their digital assets and navigate the complex landscape of cybersecurity. The course offered by Microsoft on GitHub is a comprehensive starting point that covers fundamental concepts such as the CIA triad, zero trust architecture, and various security practices. It’s vendor-agnostic, making the knowledge applicable across different platforms and technologies. By understanding the basics of cybersecurity, you can better assess risks, implement effective controls, and contribute to a safer online environment. Whether you’re a beginner or looking to refresh your knowledge, Security 101 equips you with the tools and understanding necessary to face modern security challenges. So, take the leap and start your cybersecurity learning journey today.Microsoft Secure Score - Recording + Slides Webinar 22.6
Der Microsoft Secure Score ist ein Sicherheitsbewertungstool von Microsoft, das den aktuellen Sicherheitsstatus in Microsoft 365 und Azure analysiert. Es bewertet die Sicherheitskonfiguration und gibt eine Punktzahl, sowie Empfehlungen zur Verbesserung der Sicherheitslage. Unternehmen können so zielgerichtete Maßnahmen ergreifen, um ihre Punktzahl zu erhöhen und somit effektiv ihre Sicherheit zu stärken. Hier der Link zum Recording + Slidedecks vom Webinar vom 22.6!
