deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-29 17:23:44 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

minor updates to federated auth doc

Browse Source
This commit is contained in:
Paolo Matarazzo
2022-09-07 13:42:39 -04:00
parent a860e5c1ac
commit 2420fd3ad8
1 changed files with 19 additions and 18 deletions
Download Patch File Download Diff File Expand all files Collapse all files

37
education/windows/edu-federated-authentication.md
View File

@ -15,24 +15,25 @@ appliesto:
-<b>Windows 11 SE 22H2</b>
---
<!-- MAXADO-6286399 -->
# Configure federated authentication for Windows 11 SE
Starting in **Windows 11 SE, version 22H2**, you can configure federated authentication, enabling your users to sign in using a third-party identity provider (IdP).
With federated authentication, the sign-in experience on Windows SE devices can be simplified based on the options offered by the IdP. For example, rather than logging in with a traditional username and password, students and educators can use picture passwords or QR badges.
The sign-in experience on Windows SE devices can be simplified based on the options offered by the IdP. For example, rather than logging in with a traditional username and password, students and educators can use picture passwords or QR code badges.
## Benefits of federated authentication
With federated authentication, you can have faster starts to class. Features like QR code scanning allow students to log in in less time, and with less friction.
With fewer credentials for students to remember and a simplified log-in processes, students are more engaged and focused on learning.
With federated authentication, students can sign-in in less time, and with less friction.
Fewer credentials to remember and a simplified sign-in process, enable students to be more engaged and focused on learning.
## Prerequisites
To implement federated authentication, the following prerequisites must be met:
1. You must have an Azure Active Directory (Azure AD) tenant, with one or multiple domains federated to a third-party IdP. For more information, see [Use a SAML 2.0 Identity Provider (IdP) for Single Sign On][AZ-1]
1. An Azure AD tenant, with one or multiple domains federated to a third-party IdP. For more information, see [Use a SAML 2.0 Identity Provider (IdP) for Single Sign On][AZ-1]
1. Individual IdP accounts created: each user will require an account defined in the third-party IdP platform
1. Individual Azure AD accounts created: each user will require a matching account defined in Azure AD. These account are usually created through automation using a provisioning process offered by the IdP
1. Licenses assigned to the Azure AD accounts. It is recommended to assign licenses to a dynamic group, so that when new users are provisioned in Azure AD, the licenses are automatically assigned to the users member of the group
1. Individual Azure AD accounts created: each user will require a matching account defined in Azure AD. These accounts are commonly created through automation, with a provisioning process offered by the IdP
1. Licenses assigned to the Azure AD user accounts. It's recommended to assign licenses to a dynamic group: when new users are provisioned in Azure AD, the licenses are automatically assigned. For more information, see [Assign licenses to users by group membership in Azure Active Directory][AZ-2]
1. Enable federated authentication on the Windows devices that the users will be using
> [!IMPORTANT]
> This feature is exclusively available for Windows 11 SE, version 22H2.
@ -41,7 +42,7 @@ To implement federated authentication, the following prerequisites must be met:
Can be done in Intune or with a provisioning package.
IT administrators can configure federated authentication on Windows devices using Microsoft Intune, through a [custom profile][MEM-1]:
To configure federated authentication using Microsoft Intune, use a [custom profile][MEM-1]:
1. Sign in to the <a href="https://endpoint.microsoft.com/" target="_blank">Microsoft Endpoint Manager admin center</a>
1. Select **Devices** > **Configuration profiles** > **Create profile**
@ -58,12 +59,12 @@ IT administrators can configure federated authentication on Windows devices usin
| Name | OMA-URI | Data type | Value |
|-|-|-|-|
| `EnableWebSignInForPrimaryUser` | `./Vendor/MSFT/Policy/Config/FederatedAuthentication/EnableWebSignInForPrimaryUser` | Integer | 1|
| `ConfigureWebSignInAllowedUrls` | `./Vendor/MSFT/Policy/Config/Authentication/ConfigureWebSignInAllowedUrls` | String | Semicolon separated list of domains, for example `samlidp.clever.com;clever.com;mobile-redirector.clever.com`|
| `ConfigureWebSignInAllowedUrls` | `./Vendor/MSFT/Policy/Config/Authentication/ConfigureWebSignInAllowedUrls` | String | Semicolon separated list of domains, for example: `samlidp.clever.com;clever.com;mobile-redirector.clever.com`|
| `IsEducationEnvironment` | `./Vendor/MSFT/Policy/Config/Education/IsEducationEnvironment` | Integer | 1|
| `ConfigureWebCamAccessDomainNames` | `./Vendor/MSFT/Policy/Config/Authentication/ConfigureWebCamAccessDomainNames` | String |This setting is optional, and it should be configured if you need to use the webcam during the sign-in process. Specify the list of domains that are allowed to use the webcam during the sign-in process, separated by a semicolon. For example `clever.com`|
| `ConfigureWebCamAccessDomainNames` | `./Vendor/MSFT/Policy/Config/Authentication/ConfigureWebCamAccessDomainNames` | String |This setting is optional, and it should be configured if you need to use the webcam during the sign-in process. Specify the list of domains that are allowed to use the webcam during the sign-in process, separated by a semicolon. For example: `clever.com`|
:::image type="content" source="images/edu-federated-authentication-settings.png" alt-text="Custom policy showing the settings to be configured to enable federated authentication" lightbox="edu-federated-authentication-settings.png" border="true":::
1. Select **Review + Save**
1. Select **Next**
1. In **Scope tags**, assign any applicable tags (optional)
@ -77,17 +78,17 @@ IT administrators can configure federated authentication on Windows devices usin
Once the devices are configured, a new sign-in experience becomes available.
:::image type="content" source="./images/federated-auth.gif" alt-text="Windows 11 SE login using federated authentication through Clever and QR badge." border="true":::
:::image type="content" source="./images/federated-auth.gif" alt-text="Windows 11 SE sign-in using federated authentication through Clever and QR code badge." border="true":::
## Known issues
- Network and Accessibility menus are not available in the Web Sign-In flow. They can be accessed on the standard Windows Logon page. While in the federated sign-in, press <kbd>Ctrl</kbd>+<kbd>Alt</kbd>+<kbd>Delete</kbd> and the classic Windows Logon UI will be shown, along with the buttons that launch those menus.
- This feature will not work without access to network, as the authentication is done via a 3rd party provider over the network. Always make sure that there is a valid network connection, before trying to launch the federated sign-in flow.
- Network and Accessibility menus aren't available in the web sign-in flow. They can be accessed on the standard Windows sign-in page. While in the web sign-in flow, press <kbd>Ctrl</kbd>+<kbd>Alt</kbd>+<kbd>Delete</kbd> and the classic Windows sign-in UI will be shown, along with the buttons that launch those menus.
- This feature won't work without access to network, as the authentication is done via a third-party provider over the network. Always make sure that there's a valid network connection, before trying to launch the web sign-in flow.
## Troubleshooting
- The user can exit the federated sign-in flow by pressing <kbd>Ctrl</kbd>+<kbd>Alt</kbd>+<kbd>Delete</kbd> to get back to the standard Windows Logon screen.
- The user can exit the federated sign-in flow by pressing <kbd>Ctrl</kbd>+<kbd>Alt</kbd>+<kbd>Delete</kbd> to get back to the standard Windows sign-in screen.
- The *Other User* button can be pressed, and standard username/password credentials can be used to log into the device.
[MEM-1]: /mem/intune/configuration/custom-settings-configure
[AZ-1]: /azure/active-directory/hybrid/how-to-connect-fed-saml-idp
[AZ-1]: /azure/active-directory/hybrid/how-to-connect-fed-saml-idp
[AZ-2]: /azure/active-directory/enterprise-users/licensing-groups-assign