10. Admin controls
End-user self-provisioning
FIDO2 for
Azure AD accounts
Public preview begins
JANUARY
2019
FIDO2
Private preview
began
WebAuthn
Support
available to
Windows 10 Insiders
Self-provisioned keys
for MSA
Windows 10
October 2018 Update
SPRING
2018
JULY
2018
OCTOBER
2018
11. Save Discard
METHOD TARGET ENABLED
Password All users Yes
Phone call All users Yes
Microsoft Authenticator app No
Verification code – authenticator app No
Verification code – hardware token No
Windows Hello No
FIDO No
PIN No
Email address No
Security questions 5 groups Yes
Allowed methods
Documentation
= Recommended
Registration settings
Usage and insights
Getting started
ACTIVITY
Audit logs
TROUBLESHOOTING + SUPPORT
Troubleshoot
New support request
MANAGE
Authentication methods
Password protection (Preview)
i
i
i
i
i
i
i
i
i
i
Authentication methods
Wingtiptoys – Azure AD Security
Home > Authentication methods > Authentication methods
1 group Yes
Text message i
12. REQUIRE REGISTRATION:
METHOD TARGET ENABLED
Password All users Yes
Phone call All users Yes
Microsoft Authenticator app No
Verification code – authenticator app No
Verification code – hardware token No
Windows Hello No
FIDO No
PIN No
Email address No
Security questions 5 groups Yes
= Recommended
Save
Save Discard
Allowed methods
Documentation
Registration settings
TROUBLESHOOTING + SUPPORT
Troubleshoot
New support request
ACTIVITY
Audit logs
MANAGE
Authentication methods
Password protection (Preview)
Usage and insights
Getting started
Authentication methods
Wingtiptoys – Azure AD Security
Home > Authentication methods > Authentication methods
TARGET USERSENABLE
Save Discard
CONFIGURE
REGISTRATION
Required
All users Select users
NAME
+ add users and group
1 group Yes
…
FIDO2 Security Keys
Yes No
Allow self-service set-up for groups
Yes No
Enforce Attestation
Yes No
KEY RESTRICTION POLICY
+ add AAGUID
Allow Block
Yes No
Enforce key restrictions
Restrict specific keys
Yes No
Manage security keys
Manual set-up
All users
All users Select users
13. REQUIRE REGISTRATION:
METHOD TARGET ENABLED
Password All users Yes
Phone call All users Yes
Microsoft Authenticator app No
Verification code – authenticator app No
Verification code – hardware token No
Windows Hello No
FIDO No
PIN No
Email address No
Security questions 5 groups Yes
= Recommended
Save
Save Discard
Allowed methods
Documentation
Registration settings
TROUBLESHOOTING + SUPPORT
Troubleshoot
New support request
ACTIVITY
Audit logs
MANAGE
Authentication methods
Password protection (Preview)
Usage and insights
Getting started
Authentication methods
Wingtiptoys – Azure AD Security
Home > Authentication methods > Authentication methods
TARGET USERSENABLE
Save Discard
CONFIGURE
REGISTRATION
Required
All users Select users
NAME
+ add users and group
1 group Yes
FIDO2 Security Keys
Yes No
Allow self-service set-up for groups
Yes No
Enforce Attestation
Yes No
KEY RESTRICTION POLICY
+ add AAGUID
Allow Block
Yes No
Enforce key restrictions
Restrict specific keys
Manage security keys
Manual set-up
All users Select users
All users
14. REQUIRE REGISTRATION:
METHOD TARGET ENABLED
Password All users Yes
Phone call All users Yes
Microsoft Authenticator app No
Verification code – authenticator app No
Verification code – hardware token No
Windows Hello No
FIDO No
PIN No
Email address No
Security questions 5 groups Yes
= Recommended
Save
Save Discard
Allowed methods
Documentation
Registration settings
TROUBLESHOOTING + SUPPORT
Troubleshoot
New support request
ACTIVITY
Audit logs
MANAGE
Authentication methods
Password protection (Preview)
Usage and insights
Getting started
Authentication methods
Wingtiptoys – Azure AD Security
Home > Authentication methods > Authentication methods
TARGET USERSENABLE
Save Discard
CONFIGURE
REGISTRATION
Required
All users Select users
NAME
+ add users and group
1 group Yes
FIDO2 Security Keys
Yes No
Allow self-service set-up for groups
Yes No
Enforce Attestation
Yes No
KEY RESTRICTION POLICY
+ add AAGUID
Allow Block
Enforce key restrictions
Restrict specific keys
Manage security keys
Manual set-up
No users selected …
Yes No
15. REQUIRE REGISTRATION:
METHOD TARGET ENABLED
Password All users Yes
Phone call All users Yes
Microsoft Authenticator app No
Verification code – authenticator app No
Verification code – hardware token No
Windows Hello No
FIDO No
PIN No
Email address No
Security questions 5 groups Yes
= Recommended
Save
Save Discard
Allowed methods
Documentation
Registration settings
TROUBLESHOOTING + SUPPORT
Troubleshoot
New support request
ACTIVITY
Audit logs
MANAGE
Authentication methods
Password protection (Preview)
Usage and insights
Getting started
Authentication methods
Wingtiptoys – Azure AD Security
Home > Authentication methods > Authentication methods
TARGET USERSENABLE
Save Discard
CONFIGURE
REGISTRATION
Required
All users Select users
NAME
+ add users and group
1 group Yes
FIDO2 Security Keys
Yes No
Allow self-service set-up for groups
Yes No
Enforce Attestation
Yes No
Manage security keys
Manual set-up
Search by name or email address
Search
OK Cancel
Search by name of email addressPilot
Add users and groups
…No users selected
16. REQUIRE REGISTRATION:
METHOD TARGET ENABLED
Password All users Yes
Phone call All users Yes
Microsoft Authenticator app No
Verification code – authenticator app No
Verification code – hardware token No
Windows Hello No
FIDO No
PIN No
Email address No
Security questions 5 groups Yes
= Recommended
Save
Save Discard
Allowed methods
Documentation
Registration settings
TROUBLESHOOTING + SUPPORT
Troubleshoot
New support request
ACTIVITY
Audit logs
MANAGE
Authentication methods
Password protection (Preview)
Usage and insights
Getting started
Authentication methods
Wingtiptoys – Azure AD Security
Home > Authentication methods > Authentication methods
TARGET USERSENABLE
Save Discard
CONFIGURE
REGISTRATION
Required
All users Select users
NAME
+ add users and group
1 group Yes
FIDO2 Security Keys
Yes No
Allow self-service set-up for groups
Yes No
Enforce Attestation
Yes No
Manage security keys
Manual set-up
Search by name or email address
Search
OK Cancel
Search by name of email addressPilot group
Pilot group
Pilotgroup@wingtiptoys.com
Pilot group corp
pilotgrpcorp@wingtiptoys.com
Pilot group NYC
pilotgrpmkt@wingtiptoys.com
PG
PG
PG
Add users and groups
…No users selected
17. REQUIRE REGISTRATION:
METHOD TARGET ENABLED
Password All users Yes
Phone call All users Yes
Microsoft Authenticator app No
Verification code – authenticator app No
Verification code – hardware token No
Windows Hello No
FIDO No
PIN No
Email address No
Security questions 5 groups Yes
= Recommended
Save
Save Discard
Allowed methods
Documentation
Registration settings
TROUBLESHOOTING + SUPPORT
Troubleshoot
New support request
ACTIVITY
Audit logs
MANAGE
Authentication methods
Password protection (Preview)
Usage and insights
Getting started
Authentication methods
Wingtiptoys – Azure AD Security
Home > Authentication methods > Authentication methods
TARGET USERSENABLE
Save Discard
CONFIGURE
REGISTRATION
Required
All users Select users
NAME
+ add users and group
1 group Yes
FIDO2 Security Keys
Yes No
Allow self-service set-up for groups
Yes No
Enforce Attestation
Yes No
Manage security keys
Manual set-up
Search by name or email address
Search
Search by name of email addressPilot group
Add users and groups
OK Cancel
Pilot group
Pilotgroup@wingtiptoys.com
PG
x
OK Cancel
…No users selected
18. REQUIRE REGISTRATION:
METHOD TARGET ENABLED
Password All users Yes
Phone call All users Yes
Microsoft Authenticator app No
Verification code – authenticator app No
Verification code – hardware token No
Windows Hello No
FIDO No
PIN No
Email address No
Security questions 5 groups Yes
= Recommended
Save
Save Discard
Allowed methods
Documentation
Registration settings
TROUBLESHOOTING + SUPPORT
Troubleshoot
New support request
ACTIVITY
Audit logs
MANAGE
Authentication methods
Password protection (Preview)
Usage and insights
Getting started
Authentication methods
Wingtiptoys – Azure AD Security
Home > Authentication methods > Authentication methods
TARGET USERSENABLE
Save Discard
CONFIGURE
REGISTRATION
Required
All users Select users
NAME
+ add users and group
1 group Yes
FIDO2 Security Keys
Yes No
Allow self-service set-up for groups
Yes No
Enforce Attestation
Yes No
KEY RESTRICTION POLICY
+ add AAGUID
Allow Block
Enforce key restrictions
Restrict specific keys
Manage security keys
Manual set-up
Pilot group …
Yes No
30. FIDO2 security key
1
Windows 10 device
6 3
4
7
9
2
3
4
5
2
1
User plugs FIDO2 security key into computer
Windows detects FIDO2 security key
Windows device sends auth request
Azure AD sends back nonce
User completes gesture to unlock private key
stored in security key’s secure enclave
FIDO2 security key signs nonce with private key
PRT token request with signed nonce is sent
to Azure AD
Azure AD verifies FIDO key
Azure AD returns PRT and TGT to enable
access to on-premises resources
8
7
8
9
5
6