Edit

Share via


Policy CSP - Authentication

AllowAadPasswordReset

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1709 [10.0.16299] and later
./Device/Vendor/MSFT/Policy/Config/Authentication/AllowAadPasswordReset

Specifies whether password reset is enabled for Microsoft Entra accounts.

This policy allows the Microsoft Entra tenant administrator to enable the self-service password reset feature on the Windows sign-in screen.

Description framework properties:

Property name Property value
Format int
Access Type Add, Delete, Get, Replace
Default Value 0

Allowed values:

Value Description
0 (Default) Not allowed.
1 Allowed.

AllowEAPCertSSO

Scope Editions Applicable OS
❌ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1507 [10.0.10240] and later
./User/Vendor/MSFT/Policy/Config/Authentication/AllowEAPCertSSO

Allows an EAP cert-based authentication for a single sign-on (SSO) to access internal resources.

Description framework properties:

Property name Property value
Format int
Access Type Add, Delete, Get, Replace
Default Value 0

Allowed values:

Value Description
0 (Default) Not allowed.
1 Allowed.

AllowFastReconnect

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1607 [10.0.14393] and later
./Device/Vendor/MSFT/Policy/Config/Authentication/AllowFastReconnect

Allows EAP Fast Reconnect from being attempted for EAP Method TLS. Most restricted value is 0.

Description framework properties:

Property name Property value
Format int
Access Type Add, Delete, Get, Replace
Default Value 1

Allowed values:

Value Description
0 Not allowed.
1 (Default) Allowed.

AllowSecondaryAuthenticationDevice

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1607 [10.0.14393] and later
./Device/Vendor/MSFT/Policy/Config/Authentication/AllowSecondaryAuthenticationDevice

This policy allows users to use a companion device, such as a phone, fitness band, or IoT device, to sign-on to a desktop computer running Windows 10. The companion device provides a second factor of authentication with Windows Hello.

  • If you enable or don't configure this policy setting, users can authenticate to Windows Hello using a companion device.

  • If you disable this policy, users can't use a companion device to authenticate with Windows Hello.

Description framework properties:

Property name Property value
Format int
Access Type Add, Delete, Get, Replace
Default Value 0

Allowed values:

Value Description
0 (Default) Not allowed.
1 Allowed.

Group policy mapping:

Name Value
Name MSSecondaryAuthFactor_AllowSecondaryAuthenticationDevice
Friendly Name Allow companion device for secondary authentication
Location Computer Configuration
Path Windows Components > Microsoft Secondary Authentication Factor
Registry Key Name SOFTWARE\Policies\Microsoft\SecondaryAuthenticationFactor
Registry Value Name AllowSecondaryAuthenticationDevice
ADMX File Name DeviceCredential.admx

ConfigureWebcamAccessDomainNames

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 11, version 21H2 [10.0.22000] and later
./Device/Vendor/MSFT/Policy/Config/Authentication/ConfigureWebcamAccessDomainNames

Specifies a list of domains that are allowed to access the webcam in Web Sign-in based authentication scenarios.

Note

Web sign-in is only supported on Microsoft Entra joined PCs.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace
Allowed Values List (Delimiter: ;)

Example:

Your organization federates to "Contoso IDP" and your web sign-in portal at signinportal.contoso.com requires webcam access. Then the value for this policy should be:

contoso.com

ConfigureWebSignInAllowedUrls

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1803 with KB5001339 [10.0.17134.2145] and later
./Device/Vendor/MSFT/Policy/Config/Authentication/ConfigureWebSignInAllowedUrls

Specifies a list of URLs that are navigable in Web Sign-in based authentication scenarios.

This policy specifies the list of domains that users can access in certain authentication scenarios. For example:

  • Microsoft Entra ID PIN reset
  • Web sign-in Windows device scenarios where authentication is handled by Active Directory Federation Services (AD FS) or a third-party federated identity provider

Note

This policy is required in federated environments as a mitigation to the vulnerability described in CVE-2021-27092.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace
Allowed Values List (Delimiter: ;)

Example:

Your organization's PIN reset or web sign-in authentication flow is expected to navigate to the following two domains: accounts.contoso.com and signin.contoso.com. Then the value for this policy should be:

accounts.contoso.com;signin.contoso.com

EnableFastFirstSignIn

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1809 [10.0.17763] and later
./Device/Vendor/MSFT/Policy/Config/Authentication/EnableFastFirstSignIn

Specifies whether new non-admin Microsoft Entra accounts should auto-connect to pre-created candidate local accounts.

This policy is intended for use on Shared PCs to enable a quick first sign-in experience for a user. It works by automatically connecting new non-admin Microsoft Entra accounts to the pre-configured candidate local accounts.

Important

Pre-configured candidate local accounts are any local accounts that are pre-configured or added on the device.

Description framework properties:

Property name Property value
Format int
Access Type Add, Delete, Get, Replace
Default Value 0

Allowed values:

Value Description
0 (Default) The feature defaults to the existing SKU and device capabilities.
1 Enabled. Auto-connect new non-admin Microsoft Entra accounts to pre-configured candidate local accounts.
2 Disabled. Don't auto-connect new non-admin Microsoft Entra accounts to pre-configured local accounts.

EnablePasswordlessExperience

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 11, version 23H2 with KB5031455 [10.0.22631.2506] and later
./Device/Vendor/MSFT/Policy/Config/Authentication/EnablePasswordlessExperience

Specifies whether connected users on Microsoft Entra joined devices receive a Passwordless experience on Windows.

Description framework properties:

Property name Property value
Format int
Access Type Add, Delete, Get, Replace
Default Value 0

Allowed values:

Value Description
0 (Default) The feature defaults to the existing edition and device capabilities.
1 Enabled. The Passwordless experience will be enabled on Windows.
2 Disabled. The Passwordless experience won't be enabled on Windows.

EnableWebSignIn

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1809 [10.0.17763] and later
./Device/Vendor/MSFT/Policy/Config/Authentication/EnableWebSignIn

Specifies whether web-based sign-in is allowed for signing in to Windows.

Web sign-in is a credential provider that enables a web-based sign-in experience on Windows devices. Initially introduced in Windows 10 with support for Temporary Access Pass (TAP) only, Web sign-in expanded its capabilities starting in Windows 11, version 22H2 with KB5030310. For more information, see Web sign-in for Windows.

Note

Web sign-in is only supported on Microsoft Entra joined PCs.

Description framework properties:

Property name Property value
Format int
Access Type Add, Delete, Get, Replace
Default Value 0

Allowed values:

Value Description
0 (Default) The feature defaults to the existing SKU and device capabilities.
1 Enabled. Web Sign-in will be enabled for signing in to Windows.
2 Disabled. Web Sign-in won't be enabled for signing in to Windows.

PreferredAadTenantDomainName

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1809 [10.0.17763] and later
./Device/Vendor/MSFT/Policy/Config/Authentication/PreferredAadTenantDomainName

Specifies the preferred domain among available domains in the Microsoft Entra tenant.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Example:

Your organization uses the @contoso.com tenant domain name. Then the value for this policy should be:

contoso.com

For the user abby@constoso.com, a sign-in is done using abby in the username field instead of abby@contoso.com.

Policy configuration service provider