Hybrid key trust deployment

This document describes Windows Hello for Business functionalities or scenarios that apply to:

Hybrid environments are distributed systems that enable organizations to use on-premises and Azure AD-protected resources. Windows Hello for Business uses the existing distributed system as a foundation on which organizations can provide two-factor authentication and single sign-on to modern resources.

This deployment guide describes how to deploy Windows Hello for Business in a hybrid key trust scenario.


Windows Hello for Business cloud Kerberos trust is the recommended deployment model when compared to the key trust model. For more information, see cloud Kerberos trust deployment.

It is recommended that you review the Windows Hello for Business planning guide prior to using the deployment guide. The planning guide helps you make decisions by explaining the available options with each aspect of the deployment and explains the potential outcomes based on each of these decisions.


The following prerequisites must be met for a hybrid key trust deployment:

  • Directories and directory synchronization
  • Authentication to Azure AD
  • Device registration
  • Public Key Infrastructure
  • Multi-factor authentication
  • Device management

Directories and directory synchronization

Hybrid Windows Hello for Business needs two directories:

  • An on-premises Active Directory
  • An Azure Active Directory tenant

The two directories must be synchronized with Azure AD Connect Sync, which synchronizes user accounts from the on-premises Active Directory to Azure AD.
During the Window Hello for Business provisioning process, users register the public portion of their Windows Hello for Business credential with Azure AD. Azure AD Connect Sync synchronizes the Windows Hello for Business public key to Active Directory.


Windows Hello for Business hybrid key trust is not supported if the users' on-premises UPN suffix cannot be added as a verified domain in Azure AD.

Authentication to Azure AD

Authentication to Azure AD can be configured with or without federation:

Device registration

The Windows devices must be registered in Azure AD. Devices can be registered in Azure AD using either Azure AD join or hybrid Azure AD join.
For hybrid Azure AD joined devices, review the guidance on the Plan your hybrid Azure Active Directory join implementation page.

Public Key Infrastructure

An enterprise PKI is required as trust anchor for authentication. Domain controllers require a certificate for Windows clients to trust them.

Multi-factor authentication

The Windows Hello for Business provisioning process lets a user enroll in Windows Hello for Business using their user name and password as one factor, but requires a second factor of authentication.
Hybrid deployments can use:

  • Azure AD Multi-Factor Authentication
  • A multi-factor authentication provided by AD FS, which includes an adapter model that enables third parties to integrate their MFA into AD FS

For more information how to configure Azure AD Multi-Factor Authentication, see Configure Azure AD Multi-Factor Authentication settings.
For more information how to configure AD FS to provide multi-factor authentication, see Configure Azure MFA as authentication provider with AD FS.

Device management

To configure Windows Hello for Business, devices can be configured through a mobile device management (MDM) solution like Intune, or via group policy.

Next steps

Once the prerequisites are met, deploying Windows Hello for Business with a hybrid key trust model consists of the following steps:

  • Configure and validate the PKI
  • Configure Windows Hello for Business settings
  • Provision Windows Hello for Business on Windows clients
  • Configure single sign-on (SSO) for Azure AD joined devices