> ## Documentation Index
> Fetch the complete documentation index at: https://docs.truu.ai/llms.txt
> Use this file to discover all available pages before exploring further.

# Hybird Joined / Entra Joined - FIDO2

> This guide explains TruU's Passwordless OS Authentication and phishing resistant adaptive MFA authentication for SSO-enabled applications and Entra ID joined Windows devices.

**Prerequisites**

* Enable the FIDO2 Security Keys authentication method in Azure AD
* Configure FIDO2 security key settings
* Network / Firewall requirements
* Windows 11 2004 24H1 or above

**NOTE:** We’ve introduced a new adapter for customers using directories other than Entra ID to support the Windows Authenticator in FIDO2 mode. This adapter allows administrators to provide TruU with an OAuth client, secret, and the necessary mapping attributes, enabling verification that TruU has been registered as a FIDO2 security key with Entra ID. It is required for customers using the 24.2 (or later) Windows Authenticator in FIDO2 mode with any directory other than Entra ID. If you are using Entra ID as your directory, this adapter is not needed

[Entra ID FIDO2 Enrollment Adapter Guide](https://docs.truu.ai/docs/entra-id-fido2-enrollment-adapter)

## **Enable FIDO2 Security Keys in Entra ID**

1. Login to Microsoft Entra ID (Azure AD)
2. Go to "Security", then navigate to "Authentication Methods"

<img src="https://mintcdn.com/truu-2/YlfY4z_3_-uDkBaP/images/docs/6769cb7-image.png?fit=max&auto=format&n=YlfY4z_3_-uDkBaP&q=85&s=6b3c6b464d3f6c740abae07177440915" width="1330" height="970" data-path="images/docs/6769cb7-image.png" />

<img src="https://mintcdn.com/truu-2/m22YLP0oXSNG0U3O/images/docs/7db6d25-image.png?fit=max&auto=format&n=m22YLP0oXSNG0U3O&q=85&s=9d2c2e09c55dd5556b3a55412e24153b" width="1330" height="970" data-path="images/docs/7db6d25-image.png" />

3. Click on **FIDO2 Security Keys** and enable it for all users or selected users in a group and **Save** the settings

<Info>
  ### Note

  If FIDO2 Security Keys are already enabled Configure ***FIDO2 security key settings.***
</Info>

<img src="https://mintcdn.com/truu-2/qCK1oWL4jNpZKJ8A/images/docs/9dbe510-image.png?fit=max&auto=format&n=qCK1oWL4jNpZKJ8A&q=85&s=48cb765929ec8c47203ceda44ce2987b" width="1330" height="970" data-path="images/docs/9dbe510-image.png" />

<img src="https://mintcdn.com/truu-2/qCK1oWL4jNpZKJ8A/images/docs/9b82e38-image.png?fit=max&auto=format&n=qCK1oWL4jNpZKJ8A&q=85&s=a1c906f6ff8106160506afc37a469ecc" width="1315" height="459" data-path="images/docs/9b82e38-image.png" />

## **FIDO2 Security Keys Settings**

1. Go to "Configure" tab and set the following values:
   1. Allow self-service set up: *Yes*
   2. Enforce attestation: *No*
      <Info>
        Attestation is designed to verify hardware manufacturing processes to prevent rogue hardware. TruU is a virtualized (does not require specialized hardware) solution that runs on top of Microsoft-verified hardware and does not require nor support hardware verification.
      </Info>
      ```text theme={null}
           iii. Enforce key restrictions: **No**
      ```

<img src="https://mintcdn.com/truu-2/E6hYbyLPrBHWbQ3m/images/docs/cd9db40-image.png?fit=max&auto=format&n=E6hYbyLPrBHWbQ3m&q=85&s=7f06f65b6ea4f6e06b95f552cbefe371" alt="" width="1063" height="494" data-path="images/docs/cd9db40-image.png" />

2. Save the settings

## **Enable FIDO2 Login via Group Policy**

[https://docs.truu.ai/docs/enable-truu-fido2-login-using-windows](https://docs.truu.ai/docs/enable-truu-fido2-login-using-windows)

## **Config File Requirements**

In Line 21 of the Config File that you see below, you must edit the code to the following for Azure Joined Devices:

<img src="https://mintcdn.com/truu-2/qCK1oWL4jNpZKJ8A/images/docs/9c258a7828b276726cb9070b265c912ffbf98930118ff81e065cd92c2723a273-image.png?fit=max&auto=format&n=qCK1oWL4jNpZKJ8A&q=85&s=e80f68a3fd230250d095d08cec26225c" alt="" width="674" height="593" data-path="images/docs/9c258a7828b276726cb9070b265c912ffbf98930118ff81e065cd92c2723a273-image.png" />

```text theme={null}
add key="RequireFido2" value="0"/
```

must be changed to

```text theme={null}
add key="RequireFido2" value="1"/
```

## **Networking and Firewall Requirements**

First time Enrollment requires internet connectivity, Outbound traffic for the following URLs must be allowed from the client Windows device. Please make the necessary firewall changes.

### TruU URLs

<Warning>
  **customer** is the name of your TruU tenant
</Warning>

[https://global.platform.truu.ai]() [https://customer.idp.id.truu.ai]() [https://customer.cert.id.truu.ai]()

### **Microsoft URLs**

The following endpoints are needed for registration and authentication: *customer.microsoftonline.com customer.microsoftonline-p.com customer.msauth.net customer.msauthimages.net customer.msecnd.net customer.msftauth.net customer.msftauthimages.net customer.phonefactor.net enterpriseregistration.windows.net management.azure.com policykeyservice.dc.ad.msft.net secure.aadcdn.microsoftonline-p.com*

***

[Modalities](/docs/modalities)

[Manual Install TruU - WA](/docs/manual-install-truu-wa)