deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-14 14:27:22 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Update requirements and remove unnecessary content

Browse Source
This commit is contained in:
Paolo Matarazzo 2023-12-27 12:27:48 -05:00
parent 59ad6d837c
commit a46b9b230f
4 changed files with 65 additions and 46 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

50
windows/security/identity-protection/hello-for-business/deploy/hybrid-key-trust.md
View File

@ -13,49 +13,10 @@ ms.topic: tutorial
> Windows Hello for Business *cloud Kerberos trust* is the recommended deployment model when compared to the *key trust model*. For more information, see [cloud Kerberos trust deployment](hybrid-cloud-kerberos-trust.md). > Windows Hello for Business *cloud Kerberos trust* is the recommended deployment model when compared to the *key trust model*. For more information, see [cloud Kerberos trust deployment](hybrid-cloud-kerberos-trust.md).
[!INCLUDE [requirements](includes/requirements.md)] [!INCLUDE [requirements](includes/requirements.md)]
[!INCLUDE [requirement-directory-sync](includes/requirement-directory-sync.md)]
[!INCLUDE [requirement-auth-to-entra-id](includes/requirement-auth-to-entra-id.md)]
[!INCLUDE [requirement-device-registration](includes/requirement-device-registration.md)]
:::row:::
:::column span="1":::
Directories and directory synchronization
:::column-end:::
:::column span="3":::
Hybrid Windows Hello for Business needs two directories:
- An on-premises Active Directory
- A Microsoft Entra tenant
The two directories must be synchronized with [Microsoft Entra Connect Sync][AZ-1], which synchronizes user accounts from the on-premises Active Directory to Microsoft Entra ID.\
During the Window Hello for Business provisioning process, users register the public portion of their Windows Hello for Business credential with Microsoft Entra ID. *Microsoft Entra Connect Sync* synchronizes the Windows Hello for Business public key to Active Directory.
> [!NOTE]
> Windows Hello for Business hybrid key trust is not supported if the users' on-premises UPN suffix cannot be added as a verified domain in Microsoft Entra ID.
> [!IMPORTANT]
> Windows Hello for Business is tied between a user and a device. Both the user and device object must be synchronized between Microsoft Entra ID and Active Directory.
:::column-end:::
:::row-end:::
:::row:::
:::column span="1":::
Authentication to Microsoft Entra ID
:::column-end:::
:::column span="3":::
Authentication to Microsoft Entra ID can be configured with or without federation:
- [Password hash synchronization][AZ-6] or [Microsoft Entra pass-through authentication][AZ-7] is required for non-federated environments
- Active Directory Federation Services (AD FS) or a third-party federation service is required for federated environments
:::column-end:::
:::row-end:::
:::row:::
:::column span="1":::
Device registration
:::column-end:::
:::column span="3":::
The Windows devices must be registered in Microsoft Entra ID. Devices can be registered in Microsoft Entra ID using either *Microsoft Entra join* or *Microsoft Entra hybrid join*.\
For *Microsoft Entra hybrid joined* devices, review the guidance on the [Plan your Microsoft Entra hybrid join implementation][AZ-8] page.
:::column-end:::
:::row-end::: :::row-end:::
@ -109,13 +70,10 @@ To configure Windows Hello for Business, devices can be configured through a mob
> [Next: configure and validate the Public Key Infrastructure >](hybrid-key-trust-pki.md) > [Next: configure and validate the Public Key Infrastructure >](hybrid-key-trust-pki.md)
<!--links--> <!--links-->
[AZ-1]: /azure/active-directory/hybrid/how-to-connect-sync-whatis
[AZ-2]: /azure/multi-factor-authentication/multi-factor-authentication [AZ-2]: /azure/multi-factor-authentication/multi-factor-authentication
[AZ-3]: /azure/multi-factor-authentication/multi-factor-authentication-whats-next [AZ-3]: /azure/multi-factor-authentication/multi-factor-authentication-whats-next
[AZ-4]: /azure/active-directory/devices/troubleshoot-device-dsregcmd [AZ-4]: /azure/active-directory/devices/troubleshoot-device-dsregcmd
[AZ-5]: /azure/active-directory/connect/active-directory-aadconnectsync-feature-scheduler [AZ-5]: /azure/active-directory/connect/active-directory-aadconnectsync-feature-scheduler
[AZ-6]: /azure/active-directory/hybrid/whatis-phs
[AZ-7]: /azure/active-directory/connect/active-directory-aadconnect-pass-through-authentication
[AZ-8]: /azure/active-directory/devices/hybrid-azuread-join-plan
[SER-1]: /windows-server/identity/ad-fs/operations/configure-ad-fs-2016-and-azure-mfa [SER-1]: /windows-server/identity/ad-fs/operations/configure-ad-fs-2016-and-azure-mfa

18
windows/security/identity-protection/hello-for-business/deploy/includes/requirement-auth-to-entra-id.md Normal file
View File

@ -0,0 +1,18 @@
---
ms.date: 12/15/2023
ms.topic: include
---
:::row:::
:::column span="1":::
Authentication to Microsoft Entra ID
:::column-end:::
:::column span="3":::
Authentication to Microsoft Entra ID can be configured with or without federation:
- [Password hash synchronization][AZ-6] or [Microsoft Entra pass-through authentication][AZ-7] is required for non-federated environments
- Active Directory Federation Services (AD FS) or a third-party federation service is required for federated environments
:::column-end:::
:::row-end:::
[AZ-6]: /azure/active-directory/hybrid/whatis-phs
[AZ-7]: /azure/active-directory/connect/active-directory-aadconnect-pass-through-authentication

15
windows/security/identity-protection/hello-for-business/deploy/includes/requirement-device-registration.md Normal file
View File

@ -0,0 +1,15 @@
---
ms.date: 12/15/2023
ms.topic: include
---
:::row:::
:::column span="1":::
Device registration
:::column-end:::
:::column span="3":::
The Windows devices must be registered in Microsoft Entra ID. Devices can be registered in Microsoft Entra ID using either *Microsoft Entra join* or *Microsoft Entra hybrid join*.\
For *Microsoft Entra hybrid joined* devices, review the guidance on the [Plan your Microsoft Entra hybrid join implementation][AZ-8] page.
:::column-end:::
[AZ-8]: /azure/active-directory/devices/hybrid-azuread-join-plan

28
windows/security/identity-protection/hello-for-business/deploy/includes/requirement-directory-sync.md Normal file
View File

@ -0,0 +1,28 @@
---
ms.date: 12/15/2023
ms.topic: include
---
:::row:::
:::column span="1":::
Directories and directory synchronization
:::column-end:::
:::column span="3":::
Hybrid Windows Hello for Business needs two directories:
- An on-premises Active Directory
- A Microsoft Entra tenant
The two directories must be synchronized with [Microsoft Entra Connect Sync][AZ-1], which synchronizes user accounts from the on-premises Active Directory to Microsoft Entra ID.\
During the Window Hello for Business provisioning process, users register the public portion of their Windows Hello for Business credential with Microsoft Entra ID. *Microsoft Entra Connect Sync* synchronizes the Windows Hello for Business public key to Active Directory.
> [!NOTE]
> Windows Hello for Business hybrid key trust is not supported if the users' on-premises UPN suffix cannot be added as a verified domain in Microsoft Entra ID.
> [!IMPORTANT]
> Windows Hello for Business is tied between a user and a device. Both the user and device object must be synchronized between Microsoft Entra ID and Active Directory.
:::column-end:::
:::row-end:::
[AZ-1]: /azure/active-directory/hybrid/how-to-connect-sync-whatis