a80f67fe13
Updating the web sign-in policy to reflect that it is now supported/out of private preview.
13 KiB
title, description, ms.author, ms.topic, ms.prod, ms.technology, author, ms.localizationpriority, ms.reviewer, manager
| title | description | ms.author | ms.topic | ms.prod | ms.technology | author | ms.localizationpriority | ms.reviewer | manager |
|---|---|---|---|---|---|---|---|---|---|
| Policy CSP - Authentication | The Policy CSP - Authentication setting allows the Azure AD tenant administrators to enable self service password reset feature on the Windows sign-in screen. | vinpa | article | windows-client | itpro-manage | vinaypamnani-msft | medium | bobgil | aaroncz |
Policy CSP - Authentication
Authentication policies
- Authentication/AllowAadPasswordReset
- Authentication/AllowEAPCertSSO
- Authentication/AllowFastReconnect
- Authentication/AllowFidoDeviceSignon
- Authentication/AllowSecondaryAuthenticationDevice
- Authentication/ConfigureWebSignInAllowedUrls
- Authentication/ConfigureWebcamAccessDomainNames
- Authentication/EnableFastFirstSignIn
- Authentication/EnableWebSignIn
- Authentication/PreferredAadTenantDomainName
Authentication/AllowAadPasswordReset
| Edition | Windows 10 | Windows 11 |
|---|---|---|
| Home | No | No |
| Pro | Yes | Yes |
| Windows SE | No | Yes |
| Business | Yes | Yes |
| Enterprise | Yes | Yes |
| Education | Yes | Yes |
[!div class = "checklist"]
- Device
Specifies whether password reset is enabled for Azure Active Directory accounts. This policy allows the Azure AD tenant administrators to enable self service password reset feature on the Windows logon screen.
The following list shows the supported values:
- 0 (default) – Not allowed.
- 1 – Allowed.
Authentication/AllowEAPCertSSO
| Edition | Windows 10 | Windows 11 |
|---|---|---|
| Home | No | No |
| Pro | Yes | Yes |
| Windows SE | No | Yes |
| Business | Yes | Yes |
| Enterprise | Yes | Yes |
| Education | Yes | Yes |
[!div class = "checklist"]
- User
Allows an EAP cert-based authentication for a Single Sign on (SSO) to access internal resources.
The following list shows the supported values:
- 0 – Not allowed.
- 1 (default) – Allowed.
Authentication/AllowFastReconnect
| Edition | Windows 10 | Windows 11 |
|---|---|---|
| Home | No | No |
| Pro | Yes | Yes |
| Windows SE | No | Yes |
| Business | Yes | Yes |
| Enterprise | Yes | Yes |
| Education | Yes | Yes |
[!div class = "checklist"]
- Device
Allows EAP Fast Reconnect from being attempted for EAP Method TLS.
Most restricted value is 0.
The following list shows the supported values:
- 0 – Not allowed.
- 1 (default) – Allowed.
Authentication/AllowFidoDeviceSignon
| Edition | Windows 10 | Windows 11 |
|---|---|---|
| Home | No | No |
| Pro | Yes | Yes |
| Windows SE | No | Yes |
| Business | Yes | Yes |
| Enterprise | Yes | Yes |
| Education | Yes | Yes |
[!div class = "checklist"]
- Device
Supported in the next release. Specifies whether Fast Identity Online (FIDO) device can be used to sign on. This policy enables the Windows logon credential provider for FIDO 2.0
Value type is integer.
Here's an example scenario: At Contoso, there are many shared devices and kiosks that employees use throughout the day, for example, employees use as many as 20 different devices. To minimize the loss in productivity when employees have to sign in with username and password every time they pick up a device, the IT admin deploys SharePC CSP and Authentication/AllowFidoDeviceSignon policy to shared devices. The IT admin provisions and distributes FIDO 2.0 devices to employees, which allows them to authenticate to various shared devices and PCs.
The following list shows the supported values:
- 0 - Don't allow. The FIDO device credential provider disabled.
- 1 - Allow. The FIDO device credential provider is enabled and allows usage of FIDO devices to sign in to Windows.
Authentication/AllowSecondaryAuthenticationDevice
| Edition | Windows 10 | Windows 11 |
|---|---|---|
| Home | No | No |
| Pro | Yes | Yes |
| Windows SE | No | Yes |
| Business | Yes | Yes |
| Enterprise | Yes | Yes |
| Education | Yes | Yes |
[!div class = "checklist"]
- Device
Allows secondary authentication devices to work with Windows.
The default for this policy must be on for consumer devices (defined as local or Microsoft account connected device) and off for enterprise devices (such as cloud domain-joined, cloud domain-joined in an on-premises only environment, cloud domain-joined in a hybrid environment, and BYOD).
In the next major release of Windows 10, the default for this policy for consumer devices will be changed to off. This change will only affect users that have not already set up a secondary authentication device.
ADMX Info:
- GP Friendly name: Allow companion device for secondary authentication
- GP name: MSSecondaryAuthFactor_AllowSecondaryAuthenticationDevice
- GP path: Windows Components/Microsoft Secondary Authentication Factor
- GP ADMX file name: DeviceCredential.admx
The following list shows the supported values:
- 0 – Not allowed.
- 1 – Allowed.
Authentication/ConfigureWebSignInAllowedUrls
| Edition | Windows 10 | Windows 11 |
|---|---|---|
| Home | No | No |
| Pro | Yes | Yes |
| Windows SE | No | Yes |
| Business | Yes | Yes |
| Enterprise | Yes | Yes |
| Education | Yes | Yes |
[!div class = "checklist"]
- Device
Specifies the list of domains that are allowed to be navigated to in Azure Active Directory PIN reset and Web Sign-in Windows device scenarios where authentication is handled by AD FS or a third-party federated identity provider. Note this policy is required in federated environments as a mitigation to the vulnerability described in CVE-2021-27092.
Example: If your organization's PIN reset or Web Sign-in authentication flow is expected to navigate to two domains, accounts.contoso.com and signin.contoso.com, the policy value should be "accounts.contoso.com;signin.contoso.com".
Authentication/ConfigureWebcamAccessDomainNames
| Edition | Windows 10 | Windows 11 |
|---|---|---|
| Home | No | No |
| Pro | Yes | Yes |
| Windows SE | No | Yes |
| Business | Yes | Yes |
| Enterprise | Yes | Yes |
| Education | Yes | Yes |
[!div class = "checklist"]
- Device
Specifies the list of domain names that are allowed to access the webcam in Web Sign-in Windows device sign-in scenarios.
Web Sign-in is only supported on Azure AD Joined PCs.
Example: If your organization federates to "Contoso IDP" and your Web Sign-in portal at "signinportal.contoso.com" requires webcam access, the policy value should be "contoso.com".
Authentication/EnableFastFirstSignIn
| Edition | Windows 10 | Windows 11 |
|---|---|---|
| Home | No | No |
| Pro | Yes | Yes |
| Windows SE | No | Yes |
| Business | Yes | Yes |
| Enterprise | Yes | Yes |
| Education | Yes | Yes |
[!div class = "checklist"]
- Device
Warning
The Web Sign-in feature is in private preview mode only and not meant or recommended for production purposes. This setting is not currently supported at this time.
This policy is intended for use on Shared PCs to enable a quick first sign-in experience for a user. It works by automatically connecting new non-admin Azure Active Directory (Azure AD) accounts to the pre-configured candidate local accounts.
Important
Pre-configured candidate local accounts are any local accounts (pre-configured or added) in your device.
Value type is integer. Supported values:
- 0 - (default) The feature defaults to the existing SKU and device capabilities.
- 1 - Enabled. Auto connect new non-admin Azure AD accounts to pre-configured candidate local accounts
- 2 - Disabled. Don't auto connect new non-admin Azure AD accounts to pre-configured local accounts
Authentication/EnableWebSignIn
| Edition | Windows 10 | Windows 11 |
|---|---|---|
| Home | No | No |
| Pro | Yes | Yes |
| Windows SE | No | Yes |
| Business | Yes | Yes |
| Enterprise | Yes | Yes |
| Education | Yes | Yes |
[!div class = "checklist"]
- Device
Warning
The Web sign-in feature is intended for recovery purposes in the event a password is not available as an authentication method. Web sign-in only supports Temporary Access Pass as an authentication method for Azure Active Directory, unless it is being used in a limited federated scope.
"Web sign-in" is a new way of signing into a Windows PC. It enables Windows logon support for new Azure AD credentials, like Temporary Access Pass.
Note
Web sign-in is only supported on Azure AD Joined PCs.
Value type is integer. Supported values:
- 0 - (default) The feature defaults to the existing SKU and device capabilities.
- 1 - Enabled. Web Credential Provider will be enabled for a sign-in.
- 2 - Disabled. Web Credential Provider won't be enabled for a sign-in.
Authentication/PreferredAadTenantDomainName
| Edition | Windows 10 | Windows 11 |
|---|---|---|
| Home | No | No |
| Pro | Yes | Yes |
| Windows SE | No | Yes |
| Business | Yes | Yes |
| Enterprise | Yes | Yes |
| Education | Yes | Yes |
[!div class = "checklist"]
- Device
Specifies the preferred domain among available domains in the Azure AD tenant.
Example: If your organization is using the "@contoso.com" tenant domain name, the policy value should be "contoso.com". For the user "abby@constoso.com", a sign in is done using "abby" in the username field instead of "abby@contoso.com".
Value type is string.