question

TheRusseller1-3951 avatar image
0 Votes"
TheRusseller1-3951 asked TheRusseller1-3951 commented

Windows Hello for Business Key Trust with ADFS

I'm looking to implement windows hello for business key trust modern managed topology with an ADFS server so mitigate the AAD connect sync back to on premise to map the public key to the AD user attribute. Do you know what configurations in ADFS are required for this configuration?

adfs
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Your question is more related with ADFS and AAD, I will remove windows-server-infrastructure tag. Thank you!

0 Votes 0 ·

1 Answer

piaudonn avatar image
0 Votes"
piaudonn answered TheRusseller1-3951 commented

Assuming that the users exist in Azure AD. In that case, ADFS would be required only if your Azure AD was federated with ADFS.

If you Azure AD domain is managed, then you don't need ADFS for Key Trust.

· 3
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi Pudonn,

Thank you for your reply. I know that ADFS is not a requirement for the key trust model however you can use this if you wish - if you do this would allow you to resolve the AD user public key mapping which without using ADFS you would have to wait for the AAD connect sync back to the on premise AD to complete the mapping of this key to allow the user once they have provisioned their Windows Hello for Business to authenticate immediately.

Please let me know your thoughts on this? I have seen the MS doc on this but can't seem to be able to find it again now :(

0 Votes 0 ·

The general idea is to ensure that the users are able to authenticate with hello for business immediately after provisioning

0 Votes 0 ·

Do you have any further thoughts on this pleasE?

The MS doc: https://docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs, states "For federated environments, you can deploy Windows Hello for Business key trust using Active Directory Federation Services (AD FS) 2012 R2 or later." - so what are the configurations for the federated environment with ADFS?

0 Votes 0 ·