In my previous blog post, I explained how we can use FIDO2 security keys to perform password-less authentication with Azure AD. You can access it using Step-by-Step Guide: Azure AD password-less sign-in using FIDO2 Security keys
We also can use FIDO2 security keys to sign-in to Azure AD Joined or Hybrid Azure AD Joined Windows 10 devices. In this demo, I am going to demonstrate how we can enable FIDO2 security key sign-in using Azure AD and Microsoft Intune.
Before enabling password-less authentication with FIDO2 security keys, make sure you have,
1. Azure AD and Intune – Make sure you have valid Azure AD and Intune subscription in place.
2. Azure AD Join on Hybrid Azure AD joined Windows 10 Devices – If it is Azure AD Join device, it should run at least Windows 10 version 1903. If it is Hybrid Azure AD joined device at least it should be running Windows 10 Insider Build 18945
3. FIDO2 Security keys – The good people at eWBM provided eWBM Goldengate security key G320 (USB-C) and eWBM Goldengate security key G310 (USB-A) for testing. I will be using eWBM Goldengate security key G320 (USB-C) in this demo with Surface Pro 7.
4. Azure AD user account which completed the FIDO2 security key enrolment process – This explained in details via my previous post https://www.rebeladmin.com/2020/03/step-step-guide-azure-ad-password-less-sign-using-fido2-security-keys/
In this demo, I am going to use a user called Megan Bowen (meganb@M365x620957.onmicrosoft.com) for testing. I already have an Azure AD join device ready for her. It is showing as compliant in the Microsoft Intune portal.
Enable Windows Hello for Business with Intune
Before we create a device configuration profile, we need to enable Windows Hello for Business with FIDO2 security key support. To do that,
1. Log in to Azure Portal as Global Administrator ( https://portal.azure.com/ )
2. Search for Intune in the search box and click on it.
4. In the new window click on Windows enrollment | Windows Hello for Business
5. Select Enable for Configure Windows Hello for Business. Then keep the default settings.
6. Also, select Enable for Use security keys for sign-in
This will enable FIOD2 security key support.
7. At the end click on Save to apply the changes.