[Azure AD - Authentication - FIDO2 Update

Author: MicrosoftGuyJFlo

.openpublishing.redirection.json

@@ -34389,6 +34389,11 @@
       "redirect_url": "/azure/active-directory/user-help/myprofile-portal-overview",
       "redirect_document_id": false
     },
+    {
+      "source_path": "articles/active-directory/authentication/howto-authentication-passwordless-security-key-on-premises.md",
+      "redirect_url": "/azure/active-directory/authentication/howto-authentication-passwordless-security-key-windows",
+      "redirect_document_id": false
+    },
     {
       "source_path": "articles/application-gateway/application-gateway-ssl-portal.md",
       "redirect_url": "/azure/application-gateway/create-ssl-portal",

articles/active-directory/authentication/concept-authentication-passwordless.md

@@ -49,7 +49,7 @@ It turns any iOS or Android phone into a strong, passwordless credential by allo
 
 FIDO2 security keys are an unphishable standards-based passwordless authentication method that can come in any form factor. Fast Identity Online (FIDO) is an open standard for passwordless authentication. It allows users and organizations to leverage the standard to sign in to their resources without a username or password using an external security key or a platform key built into a device.
 
-For public preview, employees can use security keys to sign in to their Azure AD or hybrid Azure AD joined Windows 10 devices and get single-sign on to their cloud and on-premises resources. They can also sign in to supported browsers.
+For public preview, employees can use security keys to sign in to their Azure AD joined Windows 10 devices and get single-sign on to their cloud and on-premises resources. They can also sign in to supported browsers.
 
 ![Sign in to Microsoft Edge with a security key](./media/concept-authentication-passwordless/concept-web-sign-in-security-key.png)
 

articles/active-directory/authentication/howto-authentication-passwordless-security-key-windows.md

@@ -26,19 +26,15 @@ This document focuses on enabling FIDO2 security key based passwordless authenti
 
 ## Requirements
 
-| Device Type | Azure AD joined | Hybrid Azure AD joined |
-| --- | --- | --- |
-| [Azure Multi-Factor Authentication](howto-mfa-getstarted.md) | X | X |
-| [Combined security information registration preview](concept-registration-mfa-sspr-combined.md) | X | X |
-| Compatible [FIDO2 security keys](concept-authentication-passwordless.md#fido2-security-keys) | X | X |
-| WebAuthN requires Windows 10 version 1809 or higher | X | X |
-| [Azure AD joined devices](../devices/concept-azure-ad-join.md) require Windows 10 version 1809 or higher | X |   |
-| [Hybrid Azure AD joined devices](../devices/concept-azure-ad-join-hybrid.md) require Windows 10 Insider Build 18945 or higher |   | X |
-| Fully patched Windows Server 2016/2019 Domain Controllers. |   | X |
-| Upgrade to the latest version of [Azure AD Connect](../hybrid/how-to-connect-install-roadmap.md#install-azure-ad-connect) |   | X |
-| [Microsoft Intune](https://docs.microsoft.com/intune/fundamentals/what-is-intune) (Optional) | X | X |
-| Provisioning package (Optional) | X | X |
-| Group Policy (Optional) |   | X |
+| Device Type | Azure AD joined |
+| --- | --- |
+| [Azure Multi-Factor Authentication](howto-mfa-getstarted.md) | X |
+| [Combined security information registration preview](concept-registration-mfa-sspr-combined.md) | X |
+| Compatible [FIDO2 security keys](concept-authentication-passwordless.md#fido2-security-keys) | X |
+| WebAuthN requires Windows 10 version 1809 or higher | X |
+| [Azure AD joined devices](../devices/concept-azure-ad-join.md) require Windows 10 version 1809 or higher | X |
+| [Microsoft Intune](https://docs.microsoft.com/intune/fundamentals/what-is-intune) (Optional) | X |
+| Provisioning package (Optional) | X |
 
 ### Unsupported scenarios
 
@@ -53,21 +49,13 @@ This document focuses on enabling FIDO2 security key based passwordless authenti
 
 Azure AD joined devices that you will be piloting with must be running Windows 10 version 1809 or higher. The best experience is on Windows 10 version 1903 or higher.
 
-Hybrid Azure AD joined devices that you will be piloting with must be running Windows 10 Insider Build 18945 or newer.
-
 ## Enable security keys for Windows sign-in
 
 Organizations may choose to use one or more of the following methods to enable the use of security keys for Windows sign-in based on their organization's requirements.
 
 - [Enable with Intune](#enable-with-intune)
    - [Targeted Intune deployment](#targeted-intune-deployment)
 - [Enable with a provisioning package](#enable-with-a-provisioning-package)
-- [Enable with Group Policy (Hybrid Azure AD joined devices only)](#enable-with-group-policy)
-
-> [!IMPORTANT]
-> Organizations with **hybrid Azure AD joined devices** must **also** complete the steps in the article, [Enable FIDO2 authentication to on-premises resources](howto-authentication-passwordless-security-key-on-premises.md) before Windows 10 FIDO2 security key authentication will work.
->
-> Organizations with **Azure AD joined devices** must do this before their devices will be able to authenticate to on-premises resources with FIDO2 security keys.
 
 ### Enable with Intune
 
@@ -122,18 +110,7 @@ For devices not managed by Intune, a provisioning package can be installed to en
 > Devices running Windows 10 Version 1809 must also enable shared PC mode (EnableSharedPCMode). Information about enabling this funtionality can be found in the article, 
 [Set up a shared or guest PC with Windows 10](https://docs.microsoft.com/windows/configuration/set-up-shared-or-guest-pc).
 
-### Enable with Group Policy
-
-For **hybrid Azure AD joined devices** organizations can configure the following Group Policy setting to enable FIDO security key sign-in.
-
-The setting can be found under **Computer Configuration** > **Administrative Templates** > **System** > **Logon** > **Turn on security key sign-in**.
-
-- Setting this policy to **Enabled** will allow users to sign in with security keys.
-- Setting this policy to **Disabled** or **Not Configured** will stop users from signing in with security keys.
-
-This Group Policy setting requires an updated version of the `credentialprovider.admx` Group Policy template. This new template is available with the next version of Windows Server and with Windows 10 20H1. This setting can be managed with a device running one of these newer versions of Windows or centrally by following the guidance in the support topic, [How to create and manage the Central Store for Group Policy Administrative Templates in Windows](https://support.microsoft.com/help/3087759/how-to-create-and-manage-the-central-store-for-group-policy-administra).
-
-## Sign in with FIDO2 security key
+## Sign in to with FIDO2 security key
 
 In the example below a user Bala Sandhu has already provisioned their FIDO2 security key using the steps in the previous article, [Enable passwordless security key sign in](howto-authentication-passwordless-security-key.md#user-registration-and-management-of-fido2-security-keys). Bala can choose the security key credential provider from the Windows 10 lock screen and insert the security key to sign into Windows.
 
@@ -155,9 +132,29 @@ If you would like to share feedback or encounter issues while previewing this fe
    1. Subcategory: FIDO
 1. To capture logs, use the option: **Recreate my Problem**
 
-## Next steps
+## Frequently asked questions
+
+### Does this work in my on-premises environment?
+
+This feature does not work for a pure on-premises Active Directory Domain Services (AD DS) environment.
 
-[Enable access to on-premises resources for Azure AD and hybrid Azure AD joined devices](howto-authentication-passwordless-security-key-on-premises.md)
+### My organization requires two factor authentication to access resources, what can I do to support this requirement?
+
+Security keys come in a variety of form factors. Please contact the device manufacturer of interest to discuss how their devices can be enabled with a PIN or biometric as a second factor.
+
+### Can admins set up security keys?
+
+We are working on this capability for general availability (GA) of this feature.
+
+### Where can I go to find compliant Security Keys?
+
+[FIDO2 security keys](concept-authentication-passwordless.md#fido2-security-keys)
+
+### What do I do if I lose my Security Key?
+
+You can remove keys from the Azure portal, by navigating to the security info page and removing the security key.
+
+## Next steps
 
 [Learn more about device registration](../devices/overview.md)
 

articles/active-directory/authentication/howto-authentication-passwordless-security-key.md

@@ -92,7 +92,7 @@ Administrator provisioning and de-provisioning of security keys is not available
 
 ### UPN changes
 
-We are working on supporting a feature that allows UPN change on hybrid Azure AD joined and Azure AD joined devices. If a user’s UPN changes, you can no longer modify FIDO2 security keys to account for the change. The resolution is to reset the device and the user has to re-register.
+We are working on supporting a feature that allows UPN change on Azure AD joined devices. If a user’s UPN changes, you can no longer modify FIDO2 security keys to account for the change. The resolution is to reset the device and the user has to re-register.
 
 ## Next steps