Azure AD – Password less with FIDO2 now in preview for hybrid deployments

As you may be already aware, support for password less with FIDO2 keys has been in preview for quite some time already for Azure AD Joined devices and browser sign-ins (see

Well, good news as you can now also use FIDO2 keys to authenticate against Azure AD Hybrid joined device – aka Windows 10 devices joined to Active Directory domain and registered in Azure Active Directory.

You can check if a device is Azure AD or Hybrid joined by checking the Azure AD portal ( or Azure portal ( by accessing the Azure Active DirectoryDevicesAll Device blade

image_thumb[3]  image_thumb[2]  image_thumb

Then you need (if not yet done already) ensure the below:

Then you enable the hybrid settings:

  • From your Azure AD Connect server, create a Kerberos object using the below PowerShell commands; this will create a disabled user account called krbtgt_AzureAD located in the Users default OU

Import-Module “C:Program FilesMicrosoft Azure Active Directory ConnectAzureADKerberos\AzureAdKerberos.psd1”

$domain = “<your AD domain>”
$cloudCred = Get-Credential
$domainCred = Get-Credential
Set-AzureADKerberosServer -Domain $domain -CloudCredential $cloudCred -DomainCredential $domainCred


  • You can also check the process has been completed successfully using the PowerShell command

Get-AzureADKerberosServer -Domain $domain -CloudCredential $cloudCred -DomainCredential $domainCred

  • If for some reason you need to remove this object, just use the command

Remove-AzureADKerberosServer -Domain $domain -CloudCredential $cloudCred -DomainCredential $domainCred

NOTE if you also use the Seamsless SSO, you are already aware you need to rotate the encryption krbtgt keys; this is the same here. Just use the command

Set-AzureADKerberosServer -Domain $domain -CloudCredential $cloudCred -DomainCredential $domainCred –RotateServerKey


If your password expired, the FIDO2 authentication will fail. You need to update your password to make it working again.

That’s it folks, you have enabled FIDO2 authentication for your Active Directory domain joined Windows 10 devices Smile