Going passwordless on Windows 10 Azure AD joined devices.

Microsoft launched the public preview of FIDO2 security keys support in Azure Active Directory. This means that it is possible to try a passwordless approach for your users.

It could take a while to be enabled on all tenants. I have checked a few and most of them have the functionality available.

Requirements
– Azure MFA
– Combined registration enabled (preview)
– FIDO2 Security key (I used a Yubikey 5 NFC for testing)
– Windows 10 1809+ (1903 version recommended)
– Microsoft Intune & Azure AD joined device

Enable Security Keys credential provider trough Microsoft Intune
You need to enable the Security Keys credential provider to enable this functionality when signing into Windows.

1. Navigate to the Azure portal
2. Go to [Microsoft Intune] > [Device configuration] > [Profiles] and create a new profile
3. Use the following OMA-URI settings:

Name:
Enable Security Keys for Windows Sign-In
OMA-URI:

./Device/Vendor/MSFT/PassportForWork/SecurityKey/UseSecurityKeyForSignin
Data type:

Integer
Value:

1

4. Assign the policy to all your users or a specific pilot group.

Enable Passwordless Authentication trough the Azure AD
1. Navigate to the Azure portal
2. Go to the [Azure Active Directory] > [Authentication methods] > [Authentication method policy (Preview)]
3. You could get the following message:

4. Follow the link to enable the enhanced registration preview if you havent already configured it. This is required to enable the passwordless experience.
5. Return to the [Authentication method policy (Preview)] part.
6. See the screenshot below and Enable the policy by selecting [YES]

7. You can choose to deploy it for all users or only a few (pilot) users.
At the time of writing the key restrictions setting does not work yet. Do not change it from default.

End User registration experience
Users need to register the FIDO2 security key themselves before they can use it.

I used Microsoft Edge to register my Security Key. Chrome couldn’t find the key.

  1. Sign in to https://aka.ms/mysecurityinfo
  2. Choose [Add Method] and click [Security Key]
  3. Choose your type security key (USB or NFC)
  4. You will be redirected and see the following screen. Insert your security key if you didn’t already.
  1. Create a PIN and specify a name for your token.
  2. Select [Done]

End user Sign-in experience
When the user has completed the enrollment of the security key they can use it at the Windows 10 Sign-in screen.

Under Sign-in Options the user can click the “Security key credential provider”. (The USB key logo)

Thank you for reading, and happy testing!
Lets move on to a world without passwords.

Leave a Reply

Your email address will not be published. Required fields are marked *