Share via

How to authenticate on Windows Server to Microsoft Entra Connect Sync with FIDO2?

Dariusz Berkenbrink 0 Reputation points
2025-05-13T14:00:13.44+00:00

Hello everyone,

as Microsoft encourages everybody to use FIDO2-Sticks for logging in with Admin-Accounts, we set all our Admin-Accounts to enforce FIDO2. So far so good.

Now we do want to change the Entra Account used for syncing our AD via Microsoft Entra Connect, which right now is impossible due to the fact that IE is used in the background to authenticate against Entra.

What are our possibilities to ensure a smooth setup for Entra Connect with FIDO2 protected Admin-Accounts? Issuing temporary access-passes does not work, as it just throws an error which is not really helping.

Kind regards,

Dariusz

Microsoft Security Microsoft Entra Microsoft Entra ID
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Sanoop M 4,145 Reputation points Microsoft External Staff Moderator
    2025-05-14T03:58:55.5+00:00

    Hello @Dariusz Berkenbrink,

    I understand that you have already setup FIDO2 Security keys for all your admin accounts to enforce FIDO2 MFA method.

    Please make sure if you have followed all the steps as mentioned in the below documents to enable and register for FIDO2 security keys.

    Enable passkeys for your organization - Microsoft Entra ID | Microsoft Learn

    Register a passkey - Microsoft Entra ID | Microsoft Learn

    Please note that below are the possibilities which you can implement to ensure a smooth setup of Microsoft Entra connect.

    1.Use a Temporary, Non-FIDO2-Enforced Admin Account

    Please consider using a dedicated admin account in Entra ID with password + MFA enabled(not FIDO2 enforced).

    Assign only the minimal required permissions (typically Hybrid Identity Administrator or Global Administrator temporarily).

    Please use this account only for configuring and running Microsoft Entra Connect.

    After Microsoft Entra Connect setup is completed, you can disable or delete the account if it is no longer needed or else once configuration is completed, you can enforce FIDO2 authentication again for that admin account.

    2.Disable FIDO2 Enforcement Temporarily for the admin account who is trying to setup Microsoft Entra connect

    Temporarily disable FIDO2 enforcement for one of your existing admin accounts. Please use that admin account to log into Microsoft Entra Connect during setup. Then after completing the Microsoft Entra Connect setup, you can re-enable FIDO2 enforcement for that admin account.

    3.Use SSO to sign in to on-premises resources by using FIDO2 keys

    Microsoft Entra ID can issue Kerberos ticket-granting tickets (TGTs) for one or more of your Active Directory domains. With this functionality, users can sign in to Windows with modern credentials, such as FIDO2 security keys, and then access traditional Active Directory-based resources. Kerberos Service Tickets and authorization continue to be controlled by your on-premises Active Directory domain controllers (DCs).

    A Microsoft Entra Kerberos server object is created in your on-premises Active Directory instance and then securely published to Microsoft Entra ID by using Microsoft Entra Connect. The object isn't associated with any physical servers. It's simply a resource that can be used by Microsoft Entra ID to generate Kerberos TGTs for your Active Directory domain.

    Prerequisites

    Before you begin the procedures in this article, your organization must complete the instructions in Enable passkeys (FIDO2) for your organization.

    You must also meet the following system requirements:

    • Devices must be running Windows 10 version 2004 or later.
    • Your Windows Server domain controllers must run Windows Server 2016 or later and have patches installed for the following servers:
    • AES256_HMAC_SHA1 must be enabled when Network security: Configure encryption types allowed for Kerberos policy is configured on domain controllers.
    • Have the credentials required to complete the steps in the scenario:
      • An Active Directory user who is a member of the Domain Admins group for a domain and a member of the Enterprise Admins group for a forest. Referred to as $domainCred.
      • A Microsoft Entra user with the Hybrid Identity Administrators role. Referred to as $cloudCred.
    • Users must have the following Microsoft Entra attributes populated through Microsoft Entra Connect:
      • onPremisesSamAccountName (accountName in Microsoft Entra Connect)
      • onPremisesDomainName (domainFQDN in Microsoft Entra Connect)
      • onPremisesSecurityIdentifier (objectSID in Microsoft Entra Connect)
      Microsoft Entra Connect synchronizes these attributes by default. If you change which attributes to synchronize, make sure you select accountName, domainFQDN, and objectSID for synchronization.

    Please refer to the below document for complete guide to enable passwordless security key sign-in to on-premises resources by using Microsoft Entra ID.

    Passwordless security key sign-in to on-premises resources - Microsoft Entra ID | Microsoft Learn

    I hope the above information provided is helpful. Please let me know if you have any questions.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.