FIDO2 Security Keys for Hybrid Azure AD Joined Environments – Provisioning Package

The article focuses on the basic configurations that are required for the setup of Passwordless sign in for hybrid Azure environment. Passwordless authentication implementation on Windows 10 devices help enterprises to significantly improve their security and reduce the support costs by using Windows Hello for Business, FIDO2 compatible security keys such as ThinC-AUTH and Microsoft Authenticator App. Users will be able to sign in to both your Azure AD and hybrid Azure AD joined Windows 10 devices with Azure AD account using a FIDO2 security key. ThinC-AUTH security keys can be obtained from amazon.in or by contacting Ensurity support. For devices which are not managed by Intune, an enterprise administrator will create the provisioning package that is installed in the enterprise Windows 10 devices. This provisioning package is created using “Windows Configuration Designer” for enabling security key functionality. The associated app is available in the Microsoft Store.

Test Environment

The following setup is configured by Ensurity for implementation of SSO to cloud and On-Prem applications such as Office365 and Azure DevOps.

• Windows 10 1903+ build
• Windows Server 2016 with Azure DevOps On-Prem resources
• Azure and On-Prem AD
• ThinC-AUTH Security key
• Windows Configuration Designer for creating provisioning package

AAD Configuration

Enabling FIDO2 authentication for Windows login

Using a Windows 10 1903+ build, the On-Prem AD is synced with Azure AD. The FIDO2 authentication method is enabled for the required user profiles. From the Azure AD portal, admin enables the “Security key for sign-in”

Step1: Click on Security

Step 2: Authentication Methods> Authentication Method Policy

Step 3: FIDO2 Security Key and enables the feature. FIDO2 security key is one of the authentication methods available for “all the users” or only to “few targeted users”

Step 4:Click on Save to update the changes.

Enabling FIDO2 authentication in Azure Active Directory Users

The Admin enables FIDO2 feature for users to manage security keys, below steps:

Step 1: In Azure Active Directory navigate to User Settings

Step 2: Click on “Manage user feature preview settings” under “Users features preview section”

Step 3: “Users can use preview features for registering and managing security info – enhanced”

• “Selected” and choose a group of users who will participate in the preview.
• Alternatively, choose “All” to enable everyone in your directory.

Once the required options are selected, click Save to update the changes.

By following the above steps, we have successfully configured and enabled FIDO2 security key login in Azure Active Directory.

Provisioning Package

To enable seamless login to Windows 10 based machines using a security key, configuration settings are installed in the PC. The configuration package is installed in the PC at the time of OOBE Setup or from the PC Settings. The configuration package is created using Windows Configuration Designer that is installed from Microsoft Store.

Creating a Provisioning Package

The below section describes the process of the creation of the provisioning package using the configuration designer tool.

• Launch the Windows Configuration Designer and create a new project.
• Enter the project a name and choose the location to save the project and click on Next.
• Click on Next in Select Project workflow with the Provisioning package selected.
• Under “Choose which settings to view and configure” click on All Windows desktop editions and select Next> Finish.
• Expand Runtime settings > WindowsHelloForBusiness > SecurityKeys and enable “UseSecurityKeyForSignIn”.

• Select Export > Provisioning package
• In the Build window, provide a name for the package and click on Next>Next.
• Provide a location for saving the provisioning package and select Next.
• Click on Build to create the provisioning package.
• Save the two files created (ppkg and cat) to an external USB drive to apply them on the Windows 10 PCs

Adding Provisioning package

• Insert the USB drive with the provisioning package to a PC/Laptop and navigate Settings > Accounts > Access work or school > Add or remove a provisioning package
• Click on “Add a package”
• Choose the method “Removable Media> Select the package and click on Add”.
• Click on “Yes, add it” when prompted. Under Packages, the added package is displayed.


Once the provisioning package is added in the Windows 10 PCs, it is recommended to restart the PC. By following the above steps, the admin has successfully configured Azure AD and the Windows 10 PCs to enable passwordless sign in.

Hardware Security Key Configuration

The following process is meant for enrolling the fingerprint and configuring the security key with the Azure user profile. Once the key is configured, the Azure user account is added to the Windows 10 PCs for enabling security key sign in.

Security Key Management:

Registering fingerprint with the security key

• Open Settings >Accounts> Sign-in options > Security Keys.
• Insert the ThinC-AUTH device and click on Manage.
• Set up Pin for the first time or after resetting the Security Key. Enrol fingerprints by placing your finger on the fingerprint sensor multiple times. Click on Done or user can Add another.

Adding FIDO2 Security key in user profile

After Security Key configured with fingerprint, the key is linked to the Azure AD account using  https://myprofile.microsoft.com. You can see the sign-in methods registered as shown below

Adding Work or School account

Step 1: Navigate to Settings > Accounts > Access work or school> Connect > Join this device to Azure Active Directory.

Step 2: Enter the email address and password and click on Sign in.

Step 3: Click on Join> Done.

Sign out from Windows and log in using the ThinC-AUTH security key.

Testing the setup

Following the above setup procedure, the user can log in to Windows on both AADJ and Hybrid AADJ configured PCs. Once logged in, the user seamlessly accesses Office 365 without further authentication in the hybrid AADJ configuration.

The On-Prem resources such as Azure DevOps are also accessed seamlessly without again requiring any user credentials (SSO to the service).

Conclusion

By implementing the passwordless setup, the enterprise will be able to eliminate the use of passwords by its employees while preventing most of the phishing attacks and ransomware attacks.

Join with us to provide secure and seamless user experience with Ensurity ThinC-AUTH security key for a complete passwordless authentication. To know more about our FIDO Storage device, configuring Hybrid Azure Setup, FIDO Server for SME's, Passwordless Soft Authentication system visit https://www.ensurity.com .