Last year in November passwordless sign-in became available for Windows 10 but only for Microsoft accounts. Although this was a major step forward in towards a passwordless world, most companies do not use Microsoft accounts but AD or Azure AD accounts to sign in to computers. About a month ago the public preview of Azure AD support for FIDO2-based passwordless sign-in started. In this blog post I will demonstrate the setup and working of the Azure AD support for FIDO2.
I use the following setup:
- Windows 10 pro 1903 (Insider Preview build 18947) and Azure AD joined
- Azure AD (Premium P1 license assigned)
- Intune (EMS E3)
- Yubikey 5 NFC
- Devicegroup used
The configuration consists out of the following parts:
- Configure the Azure Tenant.
- Setup the configuration for the windows device.
- Enroll the end-user with the security key.
- Testing the configuration with a testdevice.
Let’s begin with setting up the Azure Tenant:
1. Sign in to the Azure Portal with the Global admin
2. Select the “Azure Active Directory” and go to “Authentication methods”
3. The Authentication Methods screen will open. Press the link “Click her to enable users for the enhanced registration preview”
4. Configure which user groups can use the preview features. In this lab I will configure “all” but in a production environment you will probably only allow a group of testuser(s). Press “Save” to save your choice and press “Authentication methods – Authentication method policy (Preview) to continue.
5. Now the FIDO2 Security Key can be enabled by pressing on the text “FIDO2 Security Key”, the FIDO2 Security settings screen will pop-up. Select enable “Yes” to enable FIDO2. In this lab I will configure “all” but in a production environment you will probably only allow a group of testuser(s). I will use the default settings. (On this moment Key Restriction Policy cannot be used in Public Preview). Press “Save” to continue.
The Azure Tenant has now been setup, now it’s time for the Device Configuration.
1. First create a group containing your test device in the Azure AD this group will be used to assign the deviceconfiguration. Go to “Azure Active Directory” and select “Groups”
2. Select “New group”
3. Select group type “Security” and give the group a recognizable name. In this Lab I will manually assign the devices and therefore select the membership type “Assigned”. Press “Members” to add the Azure AD devices which you want to use. Press “Create” to create the group.
4. In the azure portal go to Intune.
5. Select “Device enrollment” -> “Windows enrollment” -> Windows Hello for Business
6. Set use security keys for sign-in to “Enabled” and press “Save” (Configuration of security keys for sign in, is not dependent on configuring Windows Hello for Business.)
7. Go to the “Intune – Overview” and go to “Device configuration” -> “Profiles” -> “Create profile”
8. Enter Name and Description, select platform “Windows 10 and later” and select the profile type “Custom”.
9. Press settings “Configure” and press “Add”
10. Add the following lines and press “OK”
Name: <Enter a recognizable name of your choice> OMA-URI: ./Device/Vendor/MSFT/PassportForWork/SecurityKey/UseSecurityKeyForSignin Data type: Integer Value: 1
11. Press “OK” and “Create”. The profile will now be created
12. After creation the new Configuration Profile will open. Press “Assignments” to assign the profile.
13. Press “Select groups to include” a new blade will open where the “Intune – testdevices” group can be selected (created at step 3). Select the group, it will appear in the ” selected members” group and press “Select”
14. Select “Save” to save the assignment.
15. On the Testdevice go to: “Settings -> “Accounts” -> “Access work or school” and select “Info”
16. Press the “Sync” button to sync with intune. The device has been setup for FIDO2 authentication.
Now for the last part “Enroll the end-user with the security key”
I’ve seen some posts on the internet that it could take some time before the “security key” method could be added, but I haven’t seen this behaviour on my Azure Tenants.
1. Open the browser on the testdevice and go to https://myprofile.microsoft.com and login with your testuser.
2. Select “Security info” on the left
3. Press “+ Add method”, select “Security key” and press “Add”
4. If MFA hasn’t been setup for the user the following screen will appear to setup MFA. Press “Next” to continue.
5. Download the authenticator app on your phone and follow the instructions.
6. Add your mobile number and verify and press “Next” to continue.
7. The following screen will appear, select what you would like.
8. Now you will be redirected to the mysignins page. (The page will sometimes hang for minutes if this happens just close the window and open a new window. Enter https://mysignins.microsoft.com/security-info)
The same page as at step 3 will appear but now with two methods added (Phone and Microsoft Authenticator). Select “+ Add method”, select “Security key” and press “Add”
9. Select the Security Key type. I use the Yubikey with both USB and NFC, but I will use USB in this Lab. Therefore I will select “USB device”.
10. Press “Next” when prompted to keep your device ready.
11. I’m using Firefox to setup the security key, so this message is correct. Press “OK” to continue.
12. A notification will pop-up to notify that a credential will be created on the security key. Press “OK” to continue.
13. Enter the pincode of your security key and press “OK” to continue. (Before you can login on a device with your security key, you will need to unlock the security key with a PIN. This pin is stored in the AzureAD and is not the same as the Windows Hello PIN which is stored local)
14. Now press the key on your security key to continue setup.
15. Enter a recognizable name for your security key and press “Next” to continue
16. The Security Key has now been setup, press “Done” to continue.
Test the Passwordless login on the testdevice
1. Logout any users and go to the start screen
2. Plugin the Security key. Enter the PIN code of the Security Key and press “Enter”
3. Press the button on the security key.
4. The user will now be logged on to the device without entering a username or password
5. The desktop appears.
Conclusion:
Passwordless login with AzureAD is a great improvement. It’s easy to configure and no need for CA servers or third party software.
Pro:
- Login on all Azuread joined devices with only the Security Key and PIN.
- Fully managed with Intune, no need for additional scripting.
- Only a Premium P1 license is needed to get this working.
Con:
- Still need a pincode to login.
- Issues with the Myprofile and Mysignin pages which keep loading.
Sources:
This method needs at least Microsoft Business Premium plans and it works only with combination of PIN and Yubikey. Is that possible to configure U2F login (same as gsuite) with combination of full password and yubikey in Microsoft 365 Business plans ? It would be great if we could stack up our necessary steps on our own.
I’m not sure if I understand your question, but do you want to know if it’s possible to use a U2F device with a Password for logon to Windows?
Fido does seem to be the way to go (especially with its anti-phishing measures). Hopefully in time location can also be added as an authentication factor (using GPS).