Azure AD Connect – A new major version is available and there are few things you need to know
If you are using Office 365 and/or Azure AD and have an on-premises Active Directory, you already know that you can synchronize your on-premises...
1 min read
cubesys : Feb 25, 2020 12:00:00 AM
As you may be already aware, support for password less with FIDO2 keys has been in preview for quite some time already for Azure AD Joined devices and browser sign-ins (see https://t.co/6HfQaQrsuR).
Well, good news as you can now also use FIDO2 keys to authenticate against Azure AD Hybrid joined device – aka Windows 10 devices joined to Active Directory domain and registered in Azure Active Directory.
You can check if a device is Azure AD or Hybrid joined by checking the Azure AD portal (https://aad.portal.azure.com/) or Azure portal (https://portal.azure.com) by accessing the Azure Active DirectoryDevicesAll Device blade
Then you need (if not yet done already) ensure the below:
Then you enable the hybrid settings:
Import-Module “C:Program FilesMicrosoft Azure Active Directory ConnectAzureADKerberos\AzureAdKerberos.psd1”
$domain = “<your AD domain>”
$cloudCred = Get-Credential
$domainCred = Get-Credential
Set-AzureADKerberosServer -Domain $domain -CloudCredential $cloudCred -DomainCredential $domainCred
Get-AzureADKerberosServer -Domain $domain -CloudCredential $cloudCred -DomainCredential $domainCred
Remove-AzureADKerberosServer -Domain $domain -CloudCredential $cloudCred -DomainCredential $domainCred
NOTE if you also use the Seamsless SSO, you are already aware you need to rotate the encryption krbtgt keys; this is the same here. Just use the command
Set-AzureADKerberosServer -Domain $domain -CloudCredential $cloudCred -DomainCredential $domainCred –RotateServerKey
KNOWN LIMITATION/ISSUE
If your password expired, the FIDO2 authentication will fail. You need to update your password to make it working again.
That’s it folks, you have enabled FIDO2 authentication for your Active Directory domain joined Windows 10 devices
If you are using Office 365 and/or Azure AD and have an on-premises Active Directory, you already know that you can synchronize your on-premises...
By now, you already know Intune/Endpoint Configuration Manager Autopilot which allows you to give your end-users new devices without having to build...
By now, you already know Azure AD Connect, the directory synchronization tool from Microsoft to provision your identities in Azure Active Directory...