Passwordless & Windows Hello for Business | Guided by A Guide to Cloud

The case for going passwordless

Simple explanation

Passwords are like house keys that everyone copies, loses, and writes on sticky notes.

Passwordless authentication replaces them with something you are (your fingerprint or face) combined with something you have (your phone, a security key, or the device itself). You never type a password — there’s nothing to phish, nothing to guess, nothing to leak in a breach.

Three main options: your face/fingerprint on your work laptop (Windows Hello), a USB security key (FIDO2), or your phone (Authenticator passwordless mode).

Passwordless methods compared

Feature	FIDO2 Security Keys	Windows Hello for Business	Authenticator Passwordless
What the user does	Insert/tap USB key + biometric or PIN	Face, fingerprint, or PIN on Windows device	Match number on phone + biometric or PIN
Credential bound to	The physical security key	The specific Windows device	The registered phone
Works on shared devices
Works across platforms	Yes (USB/NFC on any OS)	Windows only	iOS and Android
Phishing-resistant			No (phone sign-in) / Yes (passkey mode)
Hardware required	Yes — FIDO2 key (~$25-60)	No — built into Windows	No — user's phone
Works offline	Yes (Windows sign-in)	Yes (Windows sign-in)	No — needs internet
Hybrid AD support	With Entra Kerberos	With cloud/hybrid trust	Cloud apps only
Best for	Shared workstations, frontline	Knowledge workers with assigned devices	Broad rollout, low hardware cost

FIDO2 security keys and passkeys

FIDO2 (Fast IDentity Online) uses public-key cryptography. The private key never leaves the security key — only the public key is registered with Entra ID.

Passkeys are the evolution of FIDO2:

Device-bound passkeys — stored on a specific hardware key (e.g., YubiKey). Cannot be copied. Most secure.
Synced passkeys — stored in a platform credential manager (Apple Keychain, Google Password Manager, Windows). Can sync across devices. Convenient but less secure for high-assurance scenarios.

Enabling FIDO2 in Entra ID:

Go to Protection → Authentication methods → FIDO2 security key
Enable for all users or specific groups
Optionally restrict to specific key models using AAGUID filtering (e.g., only allow YubiKey 5 series)
Configure key restrictions: allow list (only specific models) or block list (block known-weak models)

Exam tip: FIDO2 key restrictions and AAGUID

The exam tests whether you know about AAGUID (Authenticator Attestation GUID) — a unique identifier for each FIDO2 key model. You can configure Entra to only accept keys from approved vendors by adding their AAGUIDs to an allow list.

This prevents users from registering cheap, unvetted security keys that might not meet your security standards. In high-security environments (government, finance), AAGUID filtering is a must.

Windows Hello for Business (WHfB)

WHfB replaces passwords with strong two-factor authentication on Windows devices: biometric or PIN + the device itself (which holds the private key in a TPM chip).

Important distinction: A WHfB PIN is NOT the same as a regular password PIN. A WHfB PIN is:

Bound to the specific device (useless on another device)
Backed by the device’s TPM hardware
Never transmitted over the network
A local unlock for the private key stored in hardware

Deployment models

Model	Identity Infrastructure	Key Storage	When to Choose
Cloud Kerberos trust	Hybrid (Entra ID + on-prem AD)	TPM on device	✅ Recommended for hybrid — simplest
Key trust	Hybrid	TPM on device	Older model — requires PKI certificates on ALL domain controllers
Certificate trust	Hybrid	TPM on device	When you need certificates on users’ devices (VPN, Wi-Fi auth)
Cloud-only	Entra ID only (no on-prem AD)	TPM on device	Cloud-only organisations

Deep dive: cloud Kerberos trust vs key trust

Cloud Kerberos trust (the recommended model) uses Entra Kerberos — a partial Kerberos ticket-granting ticket (TGT) from the cloud that gets exchanged for a full on-prem TGT. This means:

No need to deploy certificates to domain controllers
No need for a PKI infrastructure
Simpler setup, faster deployment

Key trust (the older model) requires:

Certificates on ALL domain controllers (from an enterprise CA)
More infrastructure to manage
Used before cloud Kerberos trust existed

If the exam asks “what is the simplest way to deploy WHfB in a hybrid environment,” the answer is cloud Kerberos trust.

WHfB deployment steps (cloud Kerberos trust)

Enable WHfB — via Intune device configuration policy or GPO
Deploy Entra Kerberos — create an Entra Kerberos server object in on-prem AD using PowerShell (Install-AzureADKerberosServer)
Configure Intune policy — target the WHfB profile to a device group
User experience — at next sign-in, Windows prompts the user to set up WHfB (face, fingerprint, or PIN)

Scenario: Priya deploys WHfB at Meridian Health

Meridian Health (5,000 staff) has a hybrid environment with Entra Connect syncing to on-prem AD. Priya wants to deploy WHfB to eliminate password use for clinical staff.

Her plan:

Choose cloud Kerberos trust — simplest for hybrid. Meridian doesn’t have a full PKI infrastructure and doesn’t want to deploy certificates to domain controllers.
Create the Entra Kerberos server object — runs Install-AzureADKerberosServer on a domain controller, creating the AzureADKerberos object in AD.
Intune policy — creates a WHfB device configuration profile targeting the “Clinical Devices” group.
Pilot with 200 nurses — monitors for issues over 2 weeks (are they successfully getting on-prem Kerberos tickets for file shares?).
Expand to all staff — once the pilot is clean, applies the profile organisation-wide.

Why cloud Kerberos trust works here: Nurses access both cloud apps (Microsoft 365) and on-prem resources (shared drives on file servers). Cloud Kerberos trust gives them seamless SSO to both — the partial TGT from the cloud is exchanged for a full TGT on-prem.

Entra Kerberos for hybrid

Entra Kerberos bridges the gap between cloud authentication and on-premises Kerberos-based resources (file servers, printers, intranet apps).

How it works:

User authenticates to Entra ID (via WHfB, FIDO2, or Authenticator)
Entra issues a partial TGT (a cloud-issued Kerberos ticket)
When the user accesses an on-prem resource, the partial TGT is presented to a domain controller
The DC exchanges it for a full TGT (valid for on-prem resources)
User accesses on-prem resources seamlessly — no password needed

Requirements:

Windows 10 21H2+ or Windows 11
Entra Hybrid Joined or Entra Joined devices
Domain controllers running Windows Server 2016+
AzureADKerberos server object created in on-prem AD
Line of sight to a domain controller (on-prem network or VPN)

Exam tip: Entra Kerberos is NOT the same as seamless SSO

Both involve Kerberos, but they’re different:

Seamless SSO — uses a computer account (AZUREADSSOACC) for domain-joined devices to get silent sign-in to cloud apps. Works with PHS/PTA.
Entra Kerberos — uses the AzureADKerberos server object for cloud-authenticated users to access on-prem resources. Works with WHfB and FIDO2.

Seamless SSO goes cloud-ward (on-prem → cloud). Entra Kerberos goes on-prem-ward (cloud → on-prem).

🎬 Video walkthrough

🎬 Video coming soon

Passwordless & WHfB — SC-300 Module 10

~13 min

Flashcards

Question

What is the difference between a device-bound passkey and a synced passkey?

Click or press Enter to reveal answer

Answer

A device-bound passkey is stored on a specific hardware security key and cannot be copied — highest security. A synced passkey is stored in a platform credential manager (Apple Keychain, Google, Windows) and can sync across devices — more convenient but less secure for high-assurance scenarios.

Click to flip back

Question

Why is a Windows Hello for Business PIN NOT the same as a regular password?

Click or press Enter to reveal answer

Answer

A WHfB PIN is bound to the specific device (useless on another device), backed by the TPM chip, never transmitted over the network, and only serves as a local unlock for the device-stored private key. A password is reusable anywhere and travels across the network.

Click to flip back

Question

What is cloud Kerberos trust and why does Microsoft recommend it for hybrid WHfB?

Click or press Enter to reveal answer

Answer

Cloud Kerberos trust uses a partial TGT from Entra ID that gets exchanged for a full on-prem TGT at a domain controller. It's recommended because it's the simplest hybrid deployment — no need to deploy certificates to domain controllers or maintain PKI infrastructure.

Click to flip back

Question

What is the AzureADKerberos server object?

Click or press Enter to reveal answer

Answer

A read-only domain controller (RODC) object created in on-prem AD by the Install-AzureADKerberosServer cmdlet. It enables Entra Kerberos — allowing cloud-authenticated users to obtain Kerberos tickets for on-prem resources. Its encryption key should be rotated regularly.

Click to flip back

Knowledge Check

Meridian Health wants to deploy passwordless authentication for frontline workers who share workstations in the hospital. Workers sign in and out frequently on the same device. Which method is most appropriate?

Knowledge Check

An organisation has a hybrid environment with on-prem file servers. They want to deploy WHfB without deploying certificates to domain controllers. Which deployment model should they use?

Knowledge Check

A security admin wants to ensure that only YubiKey 5 series keys can be registered as FIDO2 security keys in Entra ID. What should they configure?

Next up: MFA, SSPR & Password Protection — configure multi-factor authentication, self-service password reset, and protect against bad passwords with Entra password protection.