Microsoft and Yubico part 4: Enterprise strong authentication recommended action items

 Note: This document lists all the references in the series in one easy to find place. Additional informational references are also provided for more details.

Enable security keys as an available passwordless authentication method

• Enable FIDO2 security keys as a sign-in option in Azure AD
  
  • Enable passwordless security key sign in

• Enable CBA as a sign-in option in Azure AD
  
  • How to configure Azure AD certificate-based authentication

Secure the admins by enforcing MFA

• Require MFA for Azure AD admins using baseline policies or Conditional Access Policies
  
  • Before you begin: Protect privileged accounts with MFA

Drive more adoption of passwordless using Conditional Access Policies

• Focus on getting users to use passwordless sign-in
• Create Conditional Access Policies to require MFA for specific applications and groups of users
  
  • Azure AD Conditional Access documentation
• Leverage Identity Protection to require MFA for Medium and High Risk sign-ins.
  
  • Azure AD Conditional Access Policies: Sign-in risk conditions

• Evaluate the use of authentication strength Conditional Access Policies
  
  • Conditional Access authentication strength

Enable Windows sign-in with FIDO2 security keys

• Enable Windows to use FIDO2 credential provider
  
  • Enable Windows 11 support

Federate your SaaS applications with Azure AD

• Connect to your applications with federated Single Sign On
  
  • Single sign-on to applications

Enable alternate MFA options for applications that don't support passwordless

• Leverage Azure MFA OATH-TOTP capabilities with YubiKeys if passwordless sign-in cannot be leveraged.
  
  • Using YubiKeys with Microsoft Entra ID MFA OATH-TOTP
• Leverage SaaS applications' native MFA capabilities with YubiKeys if the SaaS application cannot be federated with Azure AD
  
  • Works With YubiKey Catalog

Synchronize your on-premises users with AAD Connect

• Synchronize on-premises users with AAD Connect.
  
  • What is Azure AD Connect?

Migrate on-premises applications federated with AD FS using Azure AD federation

• Migrate on-premises applications federated with AD FS to Azure AD
  
  • Azure AD migration resources

Enable on-premises legacy IWA applications to use passwordless sign-in

• Upgrade the on-premises applications to use modern authentication protocols
  
  • Single sign-on to applications in Azure Active Directory
• Enable Azure AD Hybrid features
  
  • Enable passwordless security key sign-in to on-premises resources with Azure Active Directory
• Enable Azure AD Application Proxies
  
  • Remote access to on-premises applications through Azure Active Directory's application proxy

Enable MFA for on-premises applications using RADIUS with NPS Server extension

• Configure on-premises applications using RADIUS to use Azure MFA and YubiKeys
  
  • Integrate your existing NPS infrastructure with Azure multifactor authentication

Certificate based sign-in with smart cards

• Leverage YubiKey as the physical smart card
  
  • YubiKey smart card deployment guide

• Smart cards with mobile devices
  
  • CBA on Mobile announcement