Cloud Kerberos trust deployment

testuser7 276 Reputation points
2025-01-24T12:25:38.55+00:00

Team,

I have a specific question and expecting answer in the same BINARY FORMAT if anybody has practically tried and tested it.

On pure Entra-joined windows device, do I need to deploy "Cloud Kerberos Trust policy" from Intune so that Hybrid-User can authenticate with Windows-hello-for-business credential and get Partial-TGT from Entra-id ??

Just to help you help me following are implicit points.

  • It is WHfB-authentication and NOT FIDO2-authentication
  • We are talking about WHfB-authentication, provisioning of WHfB is already done beforehand.
  • A Microsoft Entra Kerberos server object is already created in your on-premises Active Directory instance and then securely published to Microsoft Entra ID.
  • on-prem AD is already in line-of-sight to get partial-TGT

Thanks

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
23,260 questions
0 comments No comments
{count} votes

2 answers

Sort by: Most helpful
  1. Sanoop M 760 Reputation points Microsoft Vendor
    2025-01-28T23:32:54.3133333+00:00

    Hello @testuser7,

    Thank you for posting your query on Microsoft Q&A.

    For a pure Microsoft Entra-joined Windows device, to enable Hybrid-User authentication with Windows Hello for Business credentials and obtain a Partial-TGT from Entra ID, you need to deploy the "Cloud Kerberos Trust policy" from Intune.

    The Cloud Kerberos trust model simplifies the deployment process by allowing users to authenticate directly with Microsoft Entra ID, which then issues a Partial TGT. This model eliminates the need for PKI requirements and Azure AD Connect synchronization for writing back public keys to Active Directory.

    There are different ways to enable and configure Windows Hello for Business in Intune:

    • Using a policy applied at the tenant level. The tenant policy:
      • Is only applied at enrollment time, and any changes to its configuration doesn't apply to devices already enrolled in Intune
      • It applies to all devices getting enrolled in Intune. For this reason, the policy is usually disabled and Windows Hello for Business is enabled using a policy targeted to a security group
    • A device configuration policy that is applied after device enrollment. Any changes to the policy are applied to the devices during regular policy refresh intervals. There are different policy types to choose from:

    For more detailed information, please refer to the below attached documents.

    https://learn.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/deploy/hybrid-cloud-kerberos-trust?tabs=intune

    https://learn.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/configure#configure-windows-hello-for-business-using-microsoft-intune

    https://learn.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/how-it-works-authentication#microsoft-entra-join-authentication-to-active-directory-using-cloud-kerberos-trust

    I hope this above information provided is helpful. Please feel free to reach out if you have any further questions.

    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

    Thanks and Regards,

    Sanoop Mohan


  2. Sanoop M 760 Reputation points Microsoft Vendor
    2025-02-05T19:58:45.0633333+00:00

    Hello @testuser7,

    Thank you for your response.

    Please note that firstly it is not necessary to deploy "Cloud Kerberos Trust policy" from Intune if you have already created tenant-wide policy that configures use of Windows Hello for Business on Windows 10 or Windows 11 devices at the time those devices enroll with Intune. This policy targets your entire organization and supports the Windows Autopilot out-of-box-experience (OOBE).

    Please note that without deploying "Cloud Kerberos Trust policy" from Intune, Hybrid users can get the Partial-TGT from Microsoft Entra ID.

    For Hybrid Users (users that exist in both Azure AD and ON-prem AD), the Partial TGT (Kerberos ticket) would typically be requested from Entra ID when they authenticate using their Windows Hello for Business credentials.

    Please refer to the below Screenshot which explains about the Authentication flow of Microsoft Entra join authentication to Active Directory using Cloud Kerberos trust.

    User's image

    Cloud Kerberos trust uses Microsoft Entra Kerberos, which doesn't require a PKI to request TGTs. With Microsoft Entra Kerberos, Microsoft Entra ID can issue TGTs for one or more AD domains. Windows can request a TGT from Microsoft Entra ID when authenticating with Windows Hello for Business, and use the returned TGT for sign-in or to access AD-based resources. The on-premises domain controllers are still responsible for Kerberos service tickets and authorization.

    I hope this above information provided is helpful. Please feel free to reach out if you have any further questions.

    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

    Thanks and Regards,

    Sanoop Mohan


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.