Configure Hybrid Windows Hello for Business: Directory Synchronization
- Windows 10, version 1703 or later
- Hybrid deployment
- Key trust
In hybrid deployments, users register the public portion of their Windows Hello for Business credential with Azure. Azure AD Connect synchronizes the Windows Hello for Business public key to Active Directory.
Group Memberships for the Azure AD Connect Service Account
The KeyAdmins global group provides the Azure AD Connect service with the permissions needed to read and write the public key to Active Directory.
Sign-in a domain controller or management workstation with Domain Admin equivalent credentials.
- Open Active Directory Users and Computers.
- Click the Users container in the navigation pane.
- Right-click Key Admins in the details pane and click Properties.
- Click the Members tab and click Add
- In the Enter the object names to select text box, type the name of the Azure AD Connect service account. Click OK.
- Click OK to return to Active Directory Users and Computers.
- Configure group membership for Azure AD Connect
Follow the Windows Hello for Business hybrid key trust deployment guide
Send feedback about: