Configure Hybrid Windows Hello for Business: Directory Synchronization
- Windows 10, version 1703 or later
- Hybrid deployment
- Certificate trust
In hybrid deployments, users register the public portion of their Windows Hello for Business credential with Azure. Azure AD Connect synchronizes the Windows Hello for Business public key to Active Directory.
The key-trust model needs Windows Server 2016 domain controllers, which configures the key registration permissions automatically; however, the certificate-trust model does not and requires you to add the permissions manually.
If you already have a Windows Server 2016 domain controller in your domain, you can skip Configure Permissions for Key Synchronization.
Configure Permissions for Key Synchronization
Sign-in a domain controller or management workstations with Domain Admin equivalent credentials.
- Open Active Directory Users and Computers.
- Right-click your domain name from the navigation pane and click Properties.
- Click Security (if the Security tab is missing, turn on Advanced Features from the View menu).
- Click Advanced. Click Add. Click Select a principal.
- The Select User, Computer, Service Account, or Group dialog box appears. In the Enter the object name to select text box, type KeyCredential Admins. Click OK.
- In the Applies to list box, select Descendant User objects.
- Using the scroll bar, scroll to the bottom of the page and click Clear all.
- In the Properties section, select Read msDS-KeyCredentialLink and Write msDS-KeyCredentialLink.
- Click OK three times to complete the task.
Group Memberships for the Azure AD Connect Service Account
The KeyAdmins or KeyCredential Admins global group provides the Azure AD Connect service with the permissions needed to read and write the public key to Active Directory.
Sign-in a domain controller or management workstation with Domain Admin equivalent credentials.
Open Active Directory Users and Computers.
Click the Users container in the navigation pane.
If you already have a Windows Server 2016 domain controller in your domain, use the Keyadmins group in the next step, otherwise use the KeyCredential admins group you previously created.
Right-click either the KeyAdmins or KeyCredential Admins in the details pane and click Properties.
Click the Members tab and click Add
In the Enter the object names to select text box, type the name of the Azure AD Connect service account. Click OK.
Click OK to return to Active Directory Users and Computers.
- Configure Permissions for Key Synchronization
- Configure group membership for Azure AD Connect
Follow the Windows Hello for Business hybrid certificate trust deployment guide