Use Case Definitions


The use cases outlined in this document describe specific scenarios that are referred to in Yubico’s Use Case Guides. While this listing isn’t exhaustive, it describes the most common scenarios that an end user is likely to encounter in the environments described by our use case guides. Not all of these use cases will be possible with every function that the YubiKey supports. To find out what functions support what use cases, consult the use case guide for the environment that best matches yours.

 

Sign-in to Azure Active Directory protected native applications

Azure Active Directory protected native applications are platform-native applications that use the Microsoft Authentication Library (MSAL) to authenticate users to Azure Active Directory.

Examples of native applications include the Microsoft 365 Office client applications like Outlook, Word, Excel and Powerpoint that are available to install on Windows or Mac workstations, or on Mobile devices via their native app stores.

The MSAL library supports all authentication methods that can be used to log into Azure AD, including mTLS for CBA and WebAuthn for FIDO2.

 

Sign-in to Azure Active Directory protected web applications

Azure Active Directory protected web applications may use the Microsoft Authentication Library (MSAL) or use other libraries supporting modern authentication , to authenticate users to Azure AD. These applications rely on the client’s web browser to support the authentication method.

The Edge web browser can provide single sign on capabilities for Azure Active Directory protected web applications on mobile platforms via Edge Profiles.
Examples of web applications include first party Microsoft apps like Office,Word, Excel and Powerpoint, applications in the Azure AD App Gallery, SaaS or other custom applications that support modern authentication.

Azure Active Directory supports mTLS for CBA, and WebAuthn for FIDO2.


Sign-in to On-Premises Integrated Windows Authentication (IWA) applications

For on-premises applications that are running on AD-joined Windows Servers, Integrated Windows Authentication provides authentication and Single Sign On (SSO capabilities for both web applications and traditional desktop applications like file sharing and database access.

Active Directory Federation Services is a popular example of an on-premises IWA application that is enabled for SSO, which can then be used to sign in to other applications that use federated authentication - either on-premises, in the cloud or hosted by a 3rd party.


Device Sign In

Device sign in is for access to the console of a device. In this situation the end user has direct contact with the device, and can do things like insert a smart card, plug in a YubiKey, or tap a YubiKey on an NFC reader. Device sign in typically conveys some sort of Single Sign On (SSO) functionality for the directory (or directories) the device is joined to.


Sign-in to Active Directory joined Windows 10 & 11 workstations

Local sign in to Windows 10 and 11 workstations that have been joined to a traditional Active Directory domain.

  • Enables SSO to On-Premises Integrated Windows Authentication (IWA) applications


Sign-in to Active Directory joined Windows Servers

Local sign in to Windows servers that have been joined to a traditional Active Directory domain.

  • Enables SSO to On-Premises Integrated Windows Authentication (IWA) applications

 

Sign-in to Active Directory joined Mac OS workstations

Local sign in to Mac OS workstations that have been joined to a traditional Active Directory domain.


Sign-in to Azure Active Directory joined Windows 10 & 11 workstations

Local sign in to Windows 10 and 11 workstations that have been Azure AD joined.

  • Enables SSO to Azure Active Directory protected native applications.
  • Enables SSO to Azure Active Directory protected web applications.

In Hybrid environments, enables SSO to On-Premises Integrated Windows Authentication (IWA) applications.


Sign-in to hybrid Azure Active Directory joined Windows 10 & 11 workstations

Local sign in to Windows 10 and 11 workstations that have been joined to a traditional Active directory domain as well as Azure AD joined.

  • Enables SSO to Azure Active Directory protected native applications.
  • Enables SSO to Azure Active Directory protected web applications.
  • Enables SSO to On-Premises Integrated Windows Authentication (IWA) applications


Sign-in to hybrid Azure Active Directory joined Windows Servers

Local sign in to Windows servers that have been joined to a traditional Active directory domain as well as Azure AD joined.

  • Enables SSO to Azure Active Directory protected native applications.
  • Enables SSO to Azure Active Directory protected web applications.
  • Enables SSO to On-Premises Integrated Windows Authentication (IWA) applications


Remote Desktop Sign In

Remote desktop sign in refers specifically to remote computer access via Microsoft’s Remote Desktop Protocol (RDP). In order for authentication methods that depend on hardware devices to work, those devices must be supported by the system that is running the Remote Desktop client, and by the device that is being connected to.


Additionally, some clients and servers allow redirection of hardware authentication devices, which allows for use of the hardware devices after successfully connecting to the remote session, regardless of whether those devices were used to authenticate to the session to begin with. Smart cards and FIDO2/WebAuthn redirection are only supported for some clients and some remote hosts.


Remote sign-in to Active Directory joined Windows 10 & 11 desktop sessions

Sign in to Windows 10 and 11 workstations that have been joined to a traditional Active Directory domain via Remote Desktop.

  • Enables SSO to On-Premises Integrated Windows Authentication (IWA) applications.
  • Enables device redirection for clients and remote hosts that support it.

Remote sign-in to Active Directory joined Windows Server desktop sessions

Sign in to Windows 10 and 11 workstations that have been joined to a traditional Active Directory domain via Remote Desktop.

  • Enables SSO to On-Premises Integrated Windows Authentication (IWA) applications.
  • Enables device redirection for clients and server versions that support it.


Remote sign-in to Azure Active Directory joined Windows 10 & 11 desktop sessions

Sign in to Windows 10 and 11 workstations that have been Azure AD joined via Remote Desktop.

  • Enables SSO to Azure Active Directory protected native applications.
  • Enables SSO to Azure Active Directory protected web applications.
  • In Hybrid environments, enables SSO to On-Premises Integrated Windows Authentication (IWA) applications.
  • Enables device redirection for clients and server versions that support it.


Remote sign-in to hybrid Azure Active Directory joined Windows 10 & 11 desktop sessions

Sign in to Windows 10 and 11 workstations that have been joined to a traditional Active directory domain as well as Azure AD joined via Remote Desktop.

  • Enables SSO to Azure Active Directory protected native applications.
  • Enables SSO to Azure Active Directory protected web applications.
  • Enables SSO to On-Premises Integrated Windows Authentication (IWA) applications.
  • Enables device redirection for clients and server versions that support it.


Remote sign-in to hybrid Azure Active Directory joined Windows Server remote desktop sessions

Sign in to Windows servers that have been joined to a traditional Active directory domain as well as Azure AD joined via Remote Desktop.

  • Enables SSO to Azure Active Directory protected native applications.
  • Enables SSO to Azure Active Directory protected web applications.
  • Enables SSO to On-Premises Integrated Windows Authentication (IWA) applications.
  • Enables device redirection for clients and server versions that support it.

 

Azure Virtual Desktop Sign In

Azure Virtual Desktop (AVD) is a specialized virtual desktop environment offered by Microsoft.  Although it functions similarly to traditional remote desktop, it requires a separate client, and utilizes an Azure service for maintaining the resources that can be logged in to, as well as an additional software agent that makes a system an “Azure AVD Session Host”.  

A native client (that utilizes MSAL) exists for each supported client platform. Additionally a web client is available.

Remote sign-in to Azure Active Directory joined AVD Session Hosts

Sign in to AVD Session Hosts that have been joined with Azure Active Directory

  • Enables SSO to Azure Active Directory protected native applications.
  • Enables SSO to Azure Active Directory protected web applications.
  • Enables device redirection for clients and desktop versions that support it.

Remote sign-in to Hybrid Azure Active Directory joined AVD Session Hosts

Sign in to AVD Session Hosts that have been Hybrid Azure Active Directory joined.

  • Enables SSO to Azure Active Directory protected native applications.
  • Enables SSO to Azure Active Directory protected web applications.
  • Enables SSO to On-Premises Integrated Windows Authentication (IWA) applications.
  • Enables device redirection for clients and desktop versions that support it.