Password-less sign-in to Windows 10 and Azure AD using FIDO2 is coming soon (plus other cool news)!

Howdy folks,

Today I want to tell you about some exciting new features we’ve been working on that I think you’ll be pretty excited about. Specifically, today we are announcing that:

  1. A limited-preview of Password-less sign-in using a FIDO2 security key will available in the next update to Windows 10 (coming this spring).
  2. Azure AD Conditional Access policies can now check device health as reported by Windows Defender Advanced Threat Protection.
  3. Azure AD access reviews, Privileged Identity Management and Terms of Use features are all now Generally Available.
  4. With the addition of domain allow and deny lists, Azure AD B2B Collaboration now gives you the ability to control which partner organizations you work with.

For more details, keep scrolling!

A limited-preview of Password-less sign-in using a FIDO2 security key will available in the next update to Windows 10 (coming this spring).

If you want to significantly improve your security posture, cut the risk of phishing attacks and cut your password management costs, then you are going to love the work we are doing to add FIDO2 support to Windows 10.

With the next Windows 10 update, we’re adding a limited preview of our FIDO2 security key support. This new capability will give your employees the ability to sign in to an Azure Active Directory-joined Windows 10 PC without a username or password. All they will need to do is insert FIDO2 compliant security key into their USB port and tab. They’ll be automatically signed in to the device and they’ll get single-sign-on access to all your Azure AD protected cloud resources, as well.

See how it works in this video:

Head over to the Windows for Business blog to learn more about how FIDO2 security keys work with Windows Hello.

We’ve got lots more work to do here of course, including adding support for delegated key creation, and support for hybrid environments. But this is going to be a HUGE step in our drive to eliminate passwords for good and we’re really excited about it.

Azure AD Conditional Access policies can now check device health as reported by Windows Defender Advanced Threat Protection.

We’re also announcing some major improvements to Azure AD Conditional Access based on a new integration with Intune and Windows Defender Advanced Threat Protection. You can now create access policies based on the risk level detected at Windows 10 endpoints, which helps you ensure that only trusted users on trusted devices can access your corporate data. With this new integration, Azure AD Conditional Access can now receive intelligence about suspicious activity in domain-joined devices and automatically block those devices from accessing corporate resources.

We have a video you can watch to learn more about how this integration works, and you can read about it in more detail on the Windows blog.

More updates!

We’ve got a few more updates to share that we think you’ll be happy to hear about, too.

At Ignite 2017, we announced the public preview of Azure AD access reviews, Privileged Identity Management (PIM) for Azure and Terms of Use and are now happy to announce the general availability of these three features in Azure AD Premium!

  • Access reviews: We created access reviews to help you manage the drift in access rights over time. With GA, you can schedule access reviews to run on a regular basis. And review results can be automatically applied to help ensure clean compliance reviews.
  • Azure AD PIM for Azure Resources: You can now use Azure AD PIM’s time-bound access and assignment capabilities to secure access to Azure Resources. For example, you can enforce Multi-Factor Authentication or an approval workflow whenever a user requests elevation into the Virtual Machine Contributor role. 
  • Terms of Use: Many customers have told us they need a way to let their employees and partners how they should be using the data they are about to access, especially with the May 25th 2018 GDPR deadline looming. Azure AD Terms of Use is now GA. We’ve recently added support for configuring terms with multiple languages and new detailed reports showing when specific users consented to which set of terms of use.

With the addition of domain allow and deny lists, Azure AD B2B Collaboration now gives you the ability to control which partner organizations you work with.

Last but not least you can now specify which partner organizations you want to share and collaborate with in Azure AD B2B Collaboration. To do this, you can choose to create list of specific allow or deny domains. When a domain is blocked using these capabilities, employees can no longer send invitations to people in that domain.

This helps you control access to your resources, while enabling a smooth experience for approved users.

This B2B Collaboration feature is available for all Azure Active Directory customers and can be used in conjunction with Azure AD Premium features like conditional access and identity protection for more granular control of when and how external business users sign in and gain access.

Go here to learn more.

Wrapping up

We’re excited to be able to bring you new ways to manage passwords, protect identities, and mitigate threats. Password-less sign-in in to Windows with Azure AD feature will soon be in limited preview, so let us know if you’d like to get on the waitlist to try it out.

And as always, if you have any feedback or suggestions, please tell us! We’re looking forward to hearing from you.

Best Regards,

Alex Simons (Twitter: @Alex_A_Simons)

Director of Program Management

Microsoft Identity DivisionVirtual Machine Contributor