Skip to main content
Prerequisites
  • Enable the FIDO2 Security Keys authentication method in Azure AD
  • Configure FIDO2 security key settings
  • Network / Firewall requirements
  • Windows 10 2004 or above
NOTE: We’ve introduced a new adapter for customers using directories other than Entra ID to support the Windows Authenticator in FIDO2 mode. This adapter allows administrators to provide TruU with an OAuth client, secret, and the necessary mapping attributes, enabling verification that TruU has been registered as a FIDO2 security key with Entra ID. It is required for customers using the 24.2 (or later) Windows Authenticator in FIDO2 mode with any directory other than Entra ID. If you are using Entra ID as your directory, this adapter is not needed Entra ID FIDO2 Enrollment Adapter Guide

Enable FIDO2 Security Keys in Azure Portal

  1. Login to Microsoft Entra ID (Azure AD)
  2. Go to “Security”, then navigate to “Authentication Methods”
  1. Click on FIDO2 Security Keys and enable it for all users or selected users in a group and Save the settings

Note

If FIDO2 Security Keys are already enabled Configure FIDO2 security key settings.

FIDO2 Security Keys Settings

  1. Go to “Configure” tab and set the following values:
    1. Allow self-service set up: Yes
    2. Enforce attestation: No
      Attestation is designed to verify hardware manufacturing processes to prevent rogue hardware. TruU is a virtualized (does not require specialized hardware) solution that runs on top of Microsoft-verified hardware and does not require nor support hardware verification.
           iii. Enforce key restrictions: **No**
  1. Save the settings

Enable FIDO2 Login via Group Policy

https://docs.truu.ai/docs/enable-truu-fido2-login-using-windows

Config File Requirements

In Line 21 of the Config File that you see below, you must edit the code to the following for Azure Joined Devices: 
add key="RequireFido2" value="0"/
must be changed to 
add key="RequireFido2" value="1"/

Networking and Firewall Requirements

First time Enrollment requires internet connectivity, Outbound traffic for the following URLs must be allowed from the client Windows device. Please make the necessary firewall changes.

TruU URLs

customer is the name of your TruU tenant
https://global.platform.truu.ai https://customer.idp.id.truu.ai https://customer.cert.id.truu.ai

Microsoft URLs

The following endpoints are needed for registration and authentication: customer.microsoftonline.com customer.microsoftonline-p.com customer.msauth.net customer.msauthimages.net customer.msecnd.net customer.msftauth.net customer.msftauthimages.net customer.phonefactor.net enterpriseregistration.windows.net management.azure.com policykeyservice.dc.ad.msft.net secure.aadcdn.microsoftonline-p.com
Modalities Manual Install TruU - WA