I'm looking into setting up passwordless authentication for my company and have come across Windows Hello for Business. However, it seems that it requires Azure Active Directory (AAD). We have an M365 subscription but aren't interested in moving to AAD; we're currently using local Active Directory (AD). Is there another option for implementing Windows Hello that I might have missed, or can we potentially use it with just local AD? I've also experimented with NFC cards as a solution, but the logistics of using an NFC Reader can be cumbersome since we have a mix of notebooks, Surface devices, and desktops. It's manageable in-house, but not so much for remote use.
1 Answer
You actually don’t need to give up your local AD if you have M365; you already have AAD. You can set up a hybrid environment where your domain computers are joined to both local AD and AAD. This way, you can still manage everything as you currently do. The hybrid joining process is quite straightforward, and using Windows Hello for Business in this setup is a breeze. Plus, it’s phishing-resistant and works well with conditional access without needing any new hardware or software installations on your computers.
Thanks for clarifying that! I must’ve misunderstood the requirement for a cloud-only setup. I'll give hybrid joining a shot and see if I can log into my Windows PC that way!