

A key is then derived and securely pushed to Azure AD via Azure AD Connect. Extending on-premises Kerberos realm to Azure Active Directoryīecause the machines will be authenticating against AAD, we need to extend the Kerberos realm to enable ticket granting rights. That's it! The security key has been registered successfully. This can be used to identify it when you have multiple devices. Once you complete the PIN authentication, you will need to name your security key. If you have already configured a PIN for the device, you will be prompted to enter the PIN, if not, you will be prompted to create a new PIN.Ħ. Select Next, OK, OK, then insert your FIDO2 credential.


Select Add Method, Security Key, then Add.ģ.Ĝlick USB or NFC Device (from my testing, it doesn't seem to matter which option you choose, if the security key is capable of both, either choice will work).Ĥ. Using the account you would like to configure, login to Microsoft Security Info.Ģ.Next, we need to register the security key to the account in Azure AD. Select Yes to Enable, then configure a target user or group.Select Azure Active Directory > Security > Authentication Methods > FIDO2 Security Key.Connect to your Azure Active Directory admin center.In our example, we created an AD group with users we wanted to allow registration for. Enable Security Key Registrationįirst, we will configure Azure AD to allow users to register FIDO2 credentials with their AAD accounts. We will be using Group Policy to configure Windows, to allow security key sign-in. The following guide assumes that your Windows machines are running Windows 10 greater then version 2004 - 20H1 and are AAD hybrid joined. The following is a down and dirty guide of how to enable FIDO2 sign-in for Windows in the Hybrid AAD environment. Microsoft has a plethora of documentation around this, but it can be confusing to navigate.

Azure AD has recently introduced FIDO security key sign-in for Windows logon.
