Do I need Azure Premium for cloud hybrid trust / key hybrid trust or not?

Question

Hello, we'd like to setup Windows Hello for Business to get MFA for Windows logon. We have fully on premise environment and can't really afford Azure Premium subsriptions for all our users. My question is: on MS sites, it is said you need Azure Premium for certificate trust. What about kerberos cloud hybrid trust and key hybrid trust. Can we go without subscriptions? I have already tried to set it up, successfully setup pin, but constantly getting errors when try to login with the pin:

• 0xc000005e PIN code is not available and this function is not supported in your organization
• this option is not available at the moment etc. Is that because we are missing subscriptions?

Answer 1

Thank you for asking this question on the Microsoft Q&A Platform.

I understand that you must implement Windows Hello for Business without any License, correct? Your investigation is correct, without any Azure AD license you only can implement cloud Kerberos trust Group Policy Key trust
Group Policy or Modern managed according to the following table

Source: https://learn.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-identity-verification#hybrid-deployments Hope this helps!

Accept Answer and Upvote, if any of the above helped, this thread can help others in the community looking for remediation for similar issues.

NOTE: To answer you as quickly as possible, please mention me in your reply.