deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-15 18:33:43 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Update authentication options and requirements in deployment documentation

Browse Source
This commit is contained in:
Paolo Matarazzo
2023-12-28 11:18:56 -05:00
parent cbaf42b528
commit 8f1fe14bd0
1 changed files with 6 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
windows/security/identity-protection/hello-for-business/deploy/index.md
View File

@ -99,11 +99,11 @@ For on-premises deployments, the identity provider is the on-premises server run
Here's a list of requirements for federated and non-federated deployments.
| Deployment model | Authentication options | Requirements |
|--|--|--|
| Cloud-only | :black_square_button: **Non-federated**<br> :black_square_button: **Federated** | Federated authentication requires a third-party federation service. |
| Hybrid | :black_square_button: **Non-federated**<br> :black_square_button: **Federated** | :black_square_button: Federated authentication requires AD FS or a third-party federation service<br> :black_square_button: **Cloud Kerberos trust** requires Microsoft Entra Kerberos<br> :black_square_button: **Key trust, non-federated**: [Password hash synchronization (PHS)][ENTRA-6] or [Microsoft Entra pass-through authentication (PTA)][ENTRA-7]<br> :black_square_button: **Certificate trust** doesn't support [PTA][ENTRA-7] or [(PHS)][ENTRA-6]. Active Directory must be federated with Microsoft Entra ID using AD FS. Additionally, you must configure your AD FS farm to support Microsoft Entra registered devices |
| On-premises | AD FS | n/a |
| Deployment model | Authentication options |
|--|--|
| Cloud-only | :black_square_button: **Non-federated**<br> :black_square_button: **Federated**: federated authentication requires a third-party federation service. |
| Hybrid | :black_square_button: **Non-federated**<br>&tab; :black_square_button: **Cloud Kerberos trust** requires Microsoft Entra Kerberos<br>&tab; :black_square_button: **Key trust** requires [Password hash synchronization (PHS)][ENTRA-6] or [Microsoft Entra pass-through authentication (PTA)][ENTRA-7]<br><br> :black_square_button: **Federated**: federated authentication requires AD FS or a third-party federation service<br>&tab; :black_square_button: **Certificate trust** doesn't support [PTA][ENTRA-7] or [(PHS)][ENTRA-6]. Active Directory must be federated with Microsoft Entra ID using AD FS. Additionally, you must configure your AD FS farm to support Microsoft Entra registered devices |
| On-premises | AD FS |
### Device registration
@ -265,7 +265,7 @@ Although the organization might require users to change their Active Directory o
| Deployment model | Trust type | Authentication options | Device/Key registration IdP | Directory sync options | MFA | Device configuration | PKI | Licensing | Windows | DC OS version |
|--|--|--|--|--|--|--|--|--|--|--|
| :black_square_button: Cloud-only | n/a | :black_square_button: **Non-federated**<br> :black_square_button: **Federated** | Microsoft Entra ID | n/a | :black_square_button: Microsoft Entra MFA <br> :black_square_button: Third-party MFA via Microsoft Entra ID custom controls or federation | CSP (MDM) <br> GPO (local) | not required | not required | All supported versions | n/a |
| :black_square_button: Hybrid | :black_square_button: **Cloud Kerberos trust** <br> :black_square_button: **Key trust** <br> :black_square_button: **Certificate trust** | :black_square_button: **Non-federated**<br> :black_square_button: **Federated** | Microsoft Entra ID | Microsoft Entra Connect Sync | :black_square_button: Microsoft Entra MFA <br> :black_square_button: Third-party MFA via Microsoft Entra ID custom controls or federation | CSP (MDM) <br> GPO (Active Directory or local) | :black_square_button: **Cloud Kerberos trust**: not required <br> :black_square_button: **Key trust**: required <br> :black_square_button: **Certificate trust**: required | :black_square_button: **Cloud Kerberos trust**: not required <br> :black_square_button: **Key trust**: not required <br> :black_square_button: **Certificate trust**: Microsoft Entra ID P1 | :black_square_button: **Cloud Kerberos trust**: Windows 10 21H2, with [KB5010415][KB-1] and later; Windows 11 21H2, with [KB5010414][KB-2] and later <br> :black_square_button: **Key trust**: All supported versions <br> :black_square_button: **Certificate trust**: All supported versions | :black_square_button: **Cloud Kerberos trust**: Windows Server 2016, [KB3534307][KB-3]; Windows Server 2019, [KB4534321][KB-4], Windows Server 2022 <br> :black_square_button: **Key trust**: All supported versions <br> :black_square_button: **Certificate trust**: All supported versions |
| :black_square_button: Hybrid | :black_square_button: **Cloud Kerberos trust** <br> :black_square_button: **Key trust** <br> :black_square_button: **Certificate trust** | :black_square_button: **Non-federated**<br>&tab; :black_square_button: **Cloud Kerberos trust** requires Microsoft Entra Kerberos<br>&tab; :black_square_button: **Key trust** requires [Password hash synchronization (PHS)][ENTRA-6] or [Microsoft Entra pass-through authentication (PTA)][ENTRA-7]<br><br> :black_square_button: **Federated**: federated authentication requires AD FS or a third-party federation service<br>&tab; :black_square_button: **Certificate trust** doesn't support [PTA][ENTRA-7] or [(PHS)][ENTRA-6]. Active Directory must be federated with Microsoft Entra ID using AD FS. Additionally, you must configure your AD FS farm to support Microsoft Entra registered devices | Microsoft Entra ID | Microsoft Entra Connect Sync | :black_square_button: Microsoft Entra MFA <br> :black_square_button: Third-party MFA via Microsoft Entra ID custom controls or federation | CSP (MDM) <br> GPO (Active Directory or local) | :black_square_button: **Cloud Kerberos trust**: not required <br> :black_square_button: **Key trust**: required <br> :black_square_button: **Certificate trust**: required | :black_square_button: **Cloud Kerberos trust**: not required <br> :black_square_button: **Key trust**: not required <br> :black_square_button: **Certificate trust**: Microsoft Entra ID P1 | :black_square_button: **Cloud Kerberos trust**: Windows 10 21H2, with [KB5010415][KB-1] and later; Windows 11 21H2, with [KB5010414][KB-2] and later <br> :black_square_button: **Key trust**: All supported versions <br> :black_square_button: **Certificate trust**: All supported versions | :black_square_button: **Cloud Kerberos trust**: Windows Server 2016, [KB3534307][KB-3]; Windows Server 2019, [KB4534321][KB-4], Windows Server 2022 <br> :black_square_button: **Key trust**: All supported versions <br> :black_square_button: **Certificate trust**: All supported versions |
| :black_square_button: On-premises | :black_square_button: **Key trust** <br> :black_square_button: **Certificate trust** | n/a | AD FS | Azure MFA server | AD FS MFA adapter | GPO (Active Directory or local) | required | Azure MFA, if used as MFA solution | All supported versions | All supported versions |
## Next steps