Azure\Intune : logon into windows 10 with Yubikey MFA

malou8391 1 Reputation point
2021-10-13T17:12:34.11+00:00

I want to configure the yubikey key with the MFA for Windows logon, for devices enrolled in Azure\Intune.

1- do you have a procedure that describes the steps ?
2- Can I configure the logon only with the Yubikey key ?
3- how can we add all the keys to the massively associated accounts.

thanks in advance

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,475 questions
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. VipulSparsh-MSFT 16,231 Reputation points Microsoft Employee
    2021-10-14T04:49:20.567+00:00

    @malou8391 Thanks for reaching out.

    Windows 10 login with Azure AD or Microsoft account is not currently supported with Yubikey as of now. The only 2nd factor supported by Windows for AAD and MSA is windows hello for business.

    You can however use local account to be able to login to windows 10 using yubikey as second auth.

    Here is the link which talks about best practices and supported scenarios :
    https://support.yubico.com/hc/en-us/articles/360013708460-Yubico-Login-for-Windows-Configuration-Guide

    -----------------------------------------------------------------------------------------------------------------

    Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.

  2. prasantc 796 Reputation points
    2021-12-20T16:56:03.78+00:00

    Looks like @VipulSparsh-MSFT jumped to conclusion after seeing "Azure Active Directory (AAD) managed accounts". AAD managed accounts or service account are different then user/Device account. I know it is possible as I am able to use yobukey with AAD user account on browser session. It is just a question of making it work on Windows hello which partially recognizes the device but it fails after typing the long hash.

    But there are bunch of article about enabling yobikey on windows hello. I have not seen an article that says it is not supported. The article on the Yubikey is talking about managed identity which is for resource auth for consumption https://learn.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/overview.

    I am surprised this came as a response from MS as not supported by pointing to Yubikey article that is talking about completely different subject.

    https://learn.microsoft.com/en-us/azure/active-directory/authentication/howto-authentication-passwordless-security-key-on-premises

    Unsupported scenarios
    The following scenarios aren't supported:

    Windows Server Active Directory Domain Services (AD DS)-joined (on-premises only devices) deployment.
    Remote Desktop Protocol (RDP), virtual desktop infrastructure (VDI), and Citrix scenarios by using a security key.
    S/MIME by using a security key.
    Run as by using a security key.
    Log in to a server by using a security key.

    0 comments