Fido 2 Multifactor Authentication on Windows 10 Pro and Office 365

Roman Dzichel, MP-Datentechnik GmbH 16 Reputation points
2022-04-14T05:38:24.683+00:00

Dear Ladies and Gentlemans

I have testet a lot of things and can't get rid of the issue.

In the first phase our user accounts weren't synchronized with the azure Ad. (now they are, thanks to Microsoft)

In the second Phase our Servers didn't get the right infrastructure, so we changed all devices to Server 2022 and to Domainlevel Server 2016 because its a requirement.

In the Azure AD i have also joined computers but i cannot find any Grouppolicy on my Server like her described:

https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.CredentialProviders::AllowSecurityKeySignIn&Language=de-de. So its actually not possible to allow the devices to login with security stick.

What i want to do: I want to have an SSO for Windows Clients by an Fido2 authentication.
The Same Login must be used with Office.

Can somebody help me?

Windows Server
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
12,084 questions
Microsoft Entra
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,389 questions

3 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Limitless Technology 39,336 Reputation points
    2022-04-20T19:49:33.54+00:00

    Hi @Roman Dzichel, MP-Datentechnik GmbH

    As you have stated that you cannot see the required registry key I would suggest you contact your vendor to further troubleshoot. I would also suggest you have a check at Unsupported scenarios from this thread.

    Enable passwordless security key sign-in to Windows 10 devices with Azure Active Directory https://learn.microsoft.com/en-us/azure/active-directory/authentication/howto-authentication-passwordless-security-key-windows

    Troubleshooting for hybrid deployments of FIDO2 security keys in Azure AD https://learn.microsoft.com/en-us/azure/active-directory/authentication/howto-authentication-passwordless-troubleshoot

    To Set up multifactor authentication for the Office products you can follow this thread https://learn.microsoft.com/en-us/microsoft-365/admin/security-and-compliance/set-up-multi-factor-authentication?view=o365-worldwide

    Hope this resolves your Query!!

    --------------

    --If the reply is helpful, please Upvote and Accept it as an answer–

    0 comments
  2. Siva-kumar-selvaraj 15,546 Reputation points
    2022-04-25T09:33:58.583+00:00

    Hello @Roman Dzichel, MP-Datentechnik GmbH ,

    Thanks for reaching out and apologies for the delayed response.

    Please find below guidance for Password-less FIDO2 Security Key Sign-in to Windows 10 HAADJ Devices. For hybrid Azure AD joined devices, organizations either use Intune policy or configure the following Group Policy setting to enable FIDO security key sign-in. The setting can be found under Computer Configuration > Administrative Templates > System > Logon > Turn on security key sign-in ** which sets the registry value: **HKLM\Software\Policies\Microsoft\FIDO – EnableFIDODeviceLogon (DWORD): 1. This Group Policy setting requires an updated version of the CredentialProviders.admx Group Policy template. For more information, refer to the below articles.

    Additionally, if you are using Intune policy to enable Key Sign-in to windows devices then you may need to use this key UseSecurityKeyForSignin intead , as these both registry keys (UseSecurityKeyForSignin & EnableFIDODeviceLogon ) functionally do the same thing to turn on the cred prov, but If the Intune policy/regkey is set to enabled (UseSecurityKeyForSignin) it will take precedence even if the group policy regkey (EnableFIDODeviceLogon) is set to disabled. Reference: https://github.com/MicrosoftDocs/azure-docs/issues/56127 .

    How-to: Password-less FIDO2 Security Key Sign-in to Windows 10 HAADJ Devices
    Enable passwordless security key sign-in to Windows 10 devices with Azure Active Directory

    Hope this helps.

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    0 comments
  3. Roman Dzichel, MP-Datentechnik GmbH 16 Reputation points
    2022-10-12T08:58:24.547+00:00

    Dear Ladies and Gentleman

    I refer to the link bellow which is from Microsoft
    https://learn.microsoft.com/en-us/azure/active-directory/authentication/howto-authentication-passwordless-security-key-windows

    What i've done until now:

    There were a lot of settings that had to be configured first. But i done it.

    • Premium Licence for Office 365
    • Intune registration vor Computer Devices
    • Intune Configuration for Passwordless Sign In
    • Configuration of Mutlifactore Authentication on Test-User
    • Updateing and Confuguring Policys on premise for Multifactor Authentication
    • And many more.

    So it seems that everything should work, but i don't get the Possibility to login with a smardcard.
    When i try to login to the computer it is always asking for username and password.

    In the ducumentation at the bottom you can see that the device has the possibility to login with smardcard.
    Policy has been applied correctly, in intune everything seems to work, I have configured the MFA for User
    Device is managed by organisation, Sync is Successfull and in Intune is everything green!

    249599-microsoft-user-mfa-settings.png
    249580-intune-managed.png
    249632-mdm-diag.png
    249625-microsoft-user-mfa-settings.png

    249653-microsoft-endpoint-manager-admin-center.png

    249661-2022-10-12-10-53-09-passwordless-security-key-sign.png

    As you can see everything is working but as i write before i don't get the option to login with smardcard or other devices.

    Do you have any Idea what is missing?

    0 comments