Last year we wrote about Azure AD and password-less sign-in http://blog.mindcore.dk/2019/07/azure-ad-and-password-less-sign-in.html
Now we also have support (Public preview) for this in hybrid environments, so let’s try it out.
We will use the same Yubico security NFC as last time.
First thing we need to be aware of is that we need version 1.4.32.0 or later of Azure AD Connect.
We can find our current version in control panel.
Or by using the PowerShell command.
(Get-ADSyncGlobalSettings).Parameters |?{$_.Name -eq "Microsoft.Synchronize.ServerConfigurationVersion"} | select Value
In this case we need to update so get the latest version and see version history here:
https://docs.microsoft.com/en-us/azure/active-directory/hybrid/reference-connect-version-history
Start the downloaded file.
Select Upgrade.
Enter your global admin credentials.
And upgrade, also start the synchronization process when configuration completes.
Exit the upgrade program.
After the upgrade completes a new subfolder is added to Microsoft Azure Active Directory Connect
C:Program FilesMicrosoft Azure Active Directory ConnectAzureADKerberos
Now on the Azure AD Connect server we will create an Azure AD Kerberos Server object in our on-premises AD.
In an elevated PowerShell prompt, go to the folder shown above.
Next import the module in the folder with the command:
Import-Module ".AzureAdKerberos.psd1"
Save our Azure Active Directory global administrator username and password in a variable with the command:
$cloudCred = Get-Credential
Save our domain administrator username and password in another variable.
Now create the new Azure AD Kerberos Server object in Active Directory and publish it to Azure Active Directory with the command.
Set-AzureADKerberosServer -Domain "[domain]" -CloudCredential $cloudCred -DomainCredential $domainCred
We can verify what we just crated with the command:
Get-AzureADKerberosServer -Domain "[domain]" -CloudCredential $cloudCred -DomainCredential $domainCred
Registration features for password-less authentication rely on the combined registration, so make sure this is activated in Azure AD.
Enable FIDO2 security key authentication method, in this test it is done for all users.
Now login with a test user to https://myprofile.microsoft.com/
Select Security info:
Select Add method – you need to have at least one Azure Multi-Factor Authentication method registered before security key can be added.
Select Security key and Add.
Select the security key type, here USB device.
Select Next.
Select Next again.
Select continue.
Insert the security key in the USB port.
We already defined the PIN in the previous post, so we will just enter the existing PIN.
Select Allow.
Then give the security a Name so that we can identify it if we have more than one.
And finally we just have to press Done.
Now let’s try to sign-in to Office 365 with our security key in the new Microsoft Edge browser (chromium).
We will select Sign in with Windows Hello or a security key.
Enter the PIN.
Do the required gesture for the key – here touch.
And we are in.
In order to try this on Windows 10, we need to use an insider build 18945 or later.
Since this is a Hybrid Azure AD join scenario we will Enable security keys for Windows sign-in with a group policy.
This Group Policy setting requires an updated version of the credentialprovider.admx Group Policy template, for now we need to take it from the insider build and copy it to our central store.
The setting can be found under Computer Configuration – Administrative Templates – System – Logon – Turn on security key sign-in.
When enabled it will allow users to sign in with security keys.
Make sure that device is hybrid Azure AD joined (Windows 10):
Now let’s try to sign-in with the security key by entering the PIN for the key.
Touch the security key.
And we are at the desktop.
We now have a enterprise solution supporting single sign-on (SSO) to both cloud and on-premises resources, just what we have been waiting for.
