diff --git a/windows/security/identity-protection/hello-for-business/deploy/hybrid-key-trust.md b/windows/security/identity-protection/hello-for-business/deploy/hybrid-key-trust.md index a8cbd81037..8d0e8758d5 100644 --- a/windows/security/identity-protection/hello-for-business/deploy/hybrid-key-trust.md +++ b/windows/security/identity-protection/hello-for-business/deploy/hybrid-key-trust.md @@ -13,49 +13,10 @@ ms.topic: tutorial > Windows Hello for Business *cloud Kerberos trust* is the recommended deployment model when compared to the *key trust model*. For more information, see [cloud Kerberos trust deployment](hybrid-cloud-kerberos-trust.md). [!INCLUDE [requirements](includes/requirements.md)] +[!INCLUDE [requirement-directory-sync](includes/requirement-directory-sync.md)] +[!INCLUDE [requirement-auth-to-entra-id](includes/requirement-auth-to-entra-id.md)] +[!INCLUDE [requirement-device-registration](includes/requirement-device-registration.md)] -:::row::: - :::column span="1"::: -Directories and directory synchronization - :::column-end::: - :::column span="3"::: -Hybrid Windows Hello for Business needs two directories: - -- An on-premises Active Directory -- A Microsoft Entra tenant - -The two directories must be synchronized with [Microsoft Entra Connect Sync][AZ-1], which synchronizes user accounts from the on-premises Active Directory to Microsoft Entra ID.\ -During the Window Hello for Business provisioning process, users register the public portion of their Windows Hello for Business credential with Microsoft Entra ID. *Microsoft Entra Connect Sync* synchronizes the Windows Hello for Business public key to Active Directory. - -> [!NOTE] -> Windows Hello for Business hybrid key trust is not supported if the users' on-premises UPN suffix cannot be added as a verified domain in Microsoft Entra ID. - -> [!IMPORTANT] -> Windows Hello for Business is tied between a user and a device. Both the user and device object must be synchronized between Microsoft Entra ID and Active Directory. - :::column-end::: - -:::row-end::: - -:::row::: - :::column span="1"::: - Authentication to Microsoft Entra ID - :::column-end::: - :::column span="3"::: -Authentication to Microsoft Entra ID can be configured with or without federation: -- [Password hash synchronization][AZ-6] or [Microsoft Entra pass-through authentication][AZ-7] is required for non-federated environments -- Active Directory Federation Services (AD FS) or a third-party federation service is required for federated environments - :::column-end::: - -:::row-end::: - -:::row::: - :::column span="1"::: - Device registration - :::column-end::: - :::column span="3"::: -The Windows devices must be registered in Microsoft Entra ID. Devices can be registered in Microsoft Entra ID using either *Microsoft Entra join* or *Microsoft Entra hybrid join*.\ -For *Microsoft Entra hybrid joined* devices, review the guidance on the [Plan your Microsoft Entra hybrid join implementation][AZ-8] page. - :::column-end::: :::row-end::: @@ -109,13 +70,10 @@ To configure Windows Hello for Business, devices can be configured through a mob > [Next: configure and validate the Public Key Infrastructure >](hybrid-key-trust-pki.md) -[AZ-1]: /azure/active-directory/hybrid/how-to-connect-sync-whatis + [AZ-2]: /azure/multi-factor-authentication/multi-factor-authentication [AZ-3]: /azure/multi-factor-authentication/multi-factor-authentication-whats-next [AZ-4]: /azure/active-directory/devices/troubleshoot-device-dsregcmd [AZ-5]: /azure/active-directory/connect/active-directory-aadconnectsync-feature-scheduler -[AZ-6]: /azure/active-directory/hybrid/whatis-phs -[AZ-7]: /azure/active-directory/connect/active-directory-aadconnect-pass-through-authentication -[AZ-8]: /azure/active-directory/devices/hybrid-azuread-join-plan [SER-1]: /windows-server/identity/ad-fs/operations/configure-ad-fs-2016-and-azure-mfa diff --git a/windows/security/identity-protection/hello-for-business/deploy/includes/requirement-auth-to-entra-id.md b/windows/security/identity-protection/hello-for-business/deploy/includes/requirement-auth-to-entra-id.md new file mode 100644 index 0000000000..19971207b7 --- /dev/null +++ b/windows/security/identity-protection/hello-for-business/deploy/includes/requirement-auth-to-entra-id.md @@ -0,0 +1,18 @@ +--- +ms.date: 12/15/2023 +ms.topic: include +--- + +:::row::: + :::column span="1"::: + Authentication to Microsoft Entra ID + :::column-end::: + :::column span="3"::: + Authentication to Microsoft Entra ID can be configured with or without federation: + - [Password hash synchronization][AZ-6] or [Microsoft Entra pass-through authentication][AZ-7] is required for non-federated environments + - Active Directory Federation Services (AD FS) or a third-party federation service is required for federated environments + :::column-end::: +:::row-end::: + +[AZ-6]: /azure/active-directory/hybrid/whatis-phs +[AZ-7]: /azure/active-directory/connect/active-directory-aadconnect-pass-through-authentication \ No newline at end of file diff --git a/windows/security/identity-protection/hello-for-business/deploy/includes/requirement-device-registration.md b/windows/security/identity-protection/hello-for-business/deploy/includes/requirement-device-registration.md new file mode 100644 index 0000000000..2dcef6f215 --- /dev/null +++ b/windows/security/identity-protection/hello-for-business/deploy/includes/requirement-device-registration.md @@ -0,0 +1,15 @@ +--- +ms.date: 12/15/2023 +ms.topic: include +--- + +:::row::: + :::column span="1"::: + Device registration + :::column-end::: + :::column span="3"::: +The Windows devices must be registered in Microsoft Entra ID. Devices can be registered in Microsoft Entra ID using either *Microsoft Entra join* or *Microsoft Entra hybrid join*.\ +For *Microsoft Entra hybrid joined* devices, review the guidance on the [Plan your Microsoft Entra hybrid join implementation][AZ-8] page. + :::column-end::: + +[AZ-8]: /azure/active-directory/devices/hybrid-azuread-join-plan diff --git a/windows/security/identity-protection/hello-for-business/deploy/includes/requirement-directory-sync.md b/windows/security/identity-protection/hello-for-business/deploy/includes/requirement-directory-sync.md new file mode 100644 index 0000000000..25376b26de --- /dev/null +++ b/windows/security/identity-protection/hello-for-business/deploy/includes/requirement-directory-sync.md @@ -0,0 +1,28 @@ +--- +ms.date: 12/15/2023 +ms.topic: include +--- + +:::row::: + :::column span="1"::: +Directories and directory synchronization + :::column-end::: + :::column span="3"::: +Hybrid Windows Hello for Business needs two directories: + +- An on-premises Active Directory +- A Microsoft Entra tenant + +The two directories must be synchronized with [Microsoft Entra Connect Sync][AZ-1], which synchronizes user accounts from the on-premises Active Directory to Microsoft Entra ID.\ +During the Window Hello for Business provisioning process, users register the public portion of their Windows Hello for Business credential with Microsoft Entra ID. *Microsoft Entra Connect Sync* synchronizes the Windows Hello for Business public key to Active Directory. + +> [!NOTE] +> Windows Hello for Business hybrid key trust is not supported if the users' on-premises UPN suffix cannot be added as a verified domain in Microsoft Entra ID. + +> [!IMPORTANT] +> Windows Hello for Business is tied between a user and a device. Both the user and device object must be synchronized between Microsoft Entra ID and Active Directory. + :::column-end::: + +:::row-end::: + +[AZ-1]: /azure/active-directory/hybrid/how-to-connect-sync-whatis