deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-19 12:23:37 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

updates

Browse Source
This commit is contained in:
Paolo Matarazzo
2023-09-13 09:34:23 -04:00
parent 50f7b3310e
commit c17eda8d76
1 changed files with 19 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files

28
windows/security/identity-protection/web-sign-in/index.md
View File

@ -75,7 +75,8 @@ Here's a list of key scenarios that are supported by Web sign-in, and a brief an
:::row:::
:::column span="3":::
**Passwordless first sign-in experience**: users can perform the first sign in to Windows passwordless, before enablig Windows Hello for Business. For example, using Microsoft Authenticator in the Web sign-in flow. When used in conjuction with passworless, the organization can hide the password credential provider from the lock screen as well as in-session authentication scenarios. For more information, see [Windows Hello for Business passwordless](../hello-for-business/passwordless.md).
**Passwordless first sign-in experience**\
Uusers can perform the first sign in to Windows passwordless, before enablig Windows Hello for Business. For example, using Microsoft Authenticator in the Web sign-in flow. When used in conjuction with passworless, the organization can hide the password credential provider from the lock screen as well as in-session authentication scenarios. For more information, see [Windows Hello for Business passwordless](../hello-for-business/passwordless.md).
:::column-end:::
:::column span="1":::
:::image type="content" source="images/lock-screen.png" lightbox="../hello-for-business/images/pinreset/pin-reset.gif" alt-text="Animation of the Web sign-in experience with Microsoft Authenticator.":::
@ -83,7 +84,8 @@ Here's a list of key scenarios that are supported by Web sign-in, and a brief an
:::row-end:::
:::row:::
:::column span="3":::
**Windows Hello for Business PIN reset**: the PIN reset flow is seamless and more robust than in previous versions. For more information, see [PIN reset](../hello-for-business/hello-feature-pin-reset.md).
**Windows Hello for Business PIN reset**\
The PIN reset flow is seamless and more robust than in previous versions. For more information, see [PIN reset](../hello-for-business/hello-feature-pin-reset.md).
:::column-end:::
:::column span="1":::
:::image type="content" source="images/lock-screen.png" lightbox="../hello-for-business/images/pinreset/pin-reset.gif" alt-text="Animation of the PIN reset in experience.":::
@ -91,7 +93,8 @@ Here's a list of key scenarios that are supported by Web sign-in, and a brief an
:::row-end:::
:::row:::
:::column span="3":::
**Temporary Access Pass (TAP)**: users can sign in using a Temporary Access Pass, which is a ...
**Temporary Access Pass (TAP)**\
Users can sign in using a Temporary Access Pass, which is a ...
:::column-end:::
:::column span="1":::
:::image type="content" source="images/lock-screen.png" lightbox="../hello-for-business/images/pinreset/pin-reset.gif" alt-text="Animation of the TAP sign in experience.":::
@ -99,7 +102,8 @@ Here's a list of key scenarios that are supported by Web sign-in, and a brief an
:::row-end:::
:::row:::
:::column span="3":::
**Sign in with a federated identity**: if the Microsoft Entra ID tenant is federated with a third-party SAML-P identity provider (IdP), federated users can sign to the Windows devices.
**Sign in with a federated identity**\
If the Microsoft Entra ID tenant is federated with a third-party SAML-P identity provider (IdP), federated users can sign to the Windows devices.
> [!TIP]
> To simplify the sign in experience, configure the preferred tenant policy, as it automatically redirect the sign in prompt to the IdP. For more information, see
@ -115,20 +119,24 @@ Here's a list of key scenarios that are supported by Web sign-in, and a brief an
The following issues are known to affect Web sign-in:
- Once enabled, the Web sign-in credential provider is the default credential provider for the device. To change the default credential provider, you must use the [Authentication CSP][WIN-4].
You can use Group Policy to deploy an administrative template policy setting to the computer. This policy setting is found under **Computer Configuration > Policies > Administrative Templates > System > Logon**:
To verify:
- Non-federated users can't sign-in to the devices, including local accounts
- The *Other user* button is missing from the sign-in screen
### Preferred Azure AD tenant name
To improve the user experience, you can configure the *preferred Azure AD tenant name* feature.\
When using preferred AAD tenant name, the users bypass the disambiguation page and are redirected to the identity provider sign-in page. This configuration can be especially useful for student shared devices, where the disambiguation page is always shown.
### Sign in with federated identities
- To improve the user experience, you can configure the *preferred Azure AD tenant name* feature.
When using preferred AAD tenant name, the users can select the domain name during the sign-in process and redirected to the identity provider sign-in page.
For more information about preferred tenant name, see [Authentication CSP - PreferredAadTenantDomainName][WIN-4].
- Disable Windows Hello provisioning
## Troubleshooting
- The user can exit the federated sign-in flow by pressing <kbd>Ctrl</kbd>+<kbd>Alt</kbd>+<kbd>Delete</kbd> to get back to the standard Windows sign-in screen
- Select the *Other User* button, and the standard username/password credentials are available to log into the device
- The user can exit the web sign-in flow by pressing <kbd>Ctrl</kbd>+<kbd>Alt</kbd>+<kbd>Delete</kbd> to get back to the Windows lock screen
<!--links-->