question

RomanDzichelMPDatentechnikGmbH-0070 avatar image
0 Votes"
RomanDzichelMPDatentechnikGmbH-0070 asked RomanDzichelMPDatentechnikGmbH-0070 commented

Fido 2 Multifactor Authentication on Windows 10 Pro and Office 365

Dear Ladies and Gentlemans

I have testet a lot of things and can't get rid of the issue.

In the first phase our user accounts weren't synchronized with the azure Ad. (now they are, thanks to Microsoft)

In the second Phase our Servers didn't get the right infrastructure, so we changed all devices to Server 2022 and to Domainlevel Server 2016 because its a requirement.

In the Azure AD i have also joined computers but i cannot find any Grouppolicy on my Server like her described:

https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.CredentialProviders::AllowSecurityKeySignIn&Language=de-de. So its actually not possible to allow the devices to login with security stick.

What i want to do: I want to have an SSO for Windows Clients by an Fido2 authentication.
The Same Login must be used with Office.

Can somebody help me?

windows-serverazure-ad-connectazure-ad-domain-services
· 2
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

sikumars avatar image sikumars ·

Hi @RomanDzichelMPDatentechnikGmbH-0070,

Just checking in to see if either of below answer helped. If this answers your query, please don’t forget to click "Accept the answer" and Up-Vote for the same, which might be beneficial to other community members reading this thread. And, if you have any further query do let us know.

0 Votes 0 ·
RomanDzichelMPDatentechnikGmbH-0070 avatar image RomanDzichelMPDatentechnikGmbH-0070 sikumars ·

Hello Mr sikumars-msft

Thank you for your Help, i really appreciate it.

I'm Sorry the Process is made Step by Step so i didn't get further since 3 Weeks.
I will response to you, when i have made clear goals or when i have more questions.

Have a Nice Day and a nice Weekend.

Take care

0 Votes 0 ·

2 Answers

LimitlessTechnology-2700 avatar image
0 Votes"
LimitlessTechnology-2700 answered

Hi @RomanDzichelMPDatentechnikGmbH-0070

As you have stated that you cannot see the required registry key I would suggest you contact your vendor to further troubleshoot. I would also suggest you have a check at Unsupported scenarios from this thread.

Enable passwordless security key sign-in to Windows 10 devices with Azure Active Directory https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-authentication-passwordless-security-key-windows

Troubleshooting for hybrid deployments of FIDO2 security keys in Azure AD https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-authentication-passwordless-troubleshoot

To Set up multifactor authentication for the Office products you can follow this thread https://docs.microsoft.com/en-us/microsoft-365/admin/security-and-compliance/set-up-multi-factor-authentication?view=o365-worldwide

Hope this resolves your Query!!

--If the reply is helpful, please Upvote and Accept it as an answer–

5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

sikumars avatar image
0 Votes"
sikumars answered

Hello @RomanDzichelMPDatentechnikGmbH-0070 ,

Thanks for reaching out and apologies for the delayed response.

Please find below guidance for Password-less FIDO2 Security Key Sign-in to Windows 10 HAADJ Devices. For hybrid Azure AD joined devices, organizations either use Intune policy or configure the following Group Policy setting to enable FIDO security key sign-in. The setting can be found under Computer Configuration > Administrative Templates > System > Logon > Turn on security key sign-in which sets the registry value: HKLM\Software\Policies\Microsoft\FIDO – EnableFIDODeviceLogon (DWORD): 1. This Group Policy setting requires an updated version of the CredentialProviders.admx Group Policy template. For more information, refer to the below articles.

Additionally, if you are using Intune policy to enable Key Sign-in to windows devices then you may need to use this key UseSecurityKeyForSignin intead , as these both registry keys (UseSecurityKeyForSignin & EnableFIDODeviceLogon ) functionally do the same thing to turn on the cred prov, but If the Intune policy/regkey is set to enabled (UseSecurityKeyForSignin) it will take precedence even if the group policy regkey (EnableFIDODeviceLogon) is set to disabled. Reference: https://github.com/MicrosoftDocs/azure-docs/issues/56127 .

How-to: Password-less FIDO2 Security Key Sign-in to Windows 10 HAADJ Devices
Enable passwordless security key sign-in to Windows 10 devices with Azure Active Directory

Hope this helps.

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.