Documentation Index
Fetch the complete documentation index at: https://docs.truu.ai/llms.txt
Use this file to discover all available pages before exploring further.
Device Join Modalities
The following table outlines how devices behave in each join type — including how they authenticate, how they are managed, and their access to cloud and on-premises resources.
| Feature | Active Directory joined | Microsoft Entra hybrid joined | Microsoft Entra joined |
|---|
| What it means | - Device is joined to on-premises Active Directory.
- Sign-in requires an Active Directory account.
| - Device is joined to on-premises Active Directory.
- Device identity is registered/synced to Microsoft Entra ID.
- Sign-in uses an Active Directory account.
| - Device is joined to Microsoft Entra ID (cloud).
- Sign-in uses a Microsoft Entra account (or a synced account if applicable).
|
| Authentication | - Password: Active Directory username and password.
- TruU Desktop Authenticator: certificate-based authentication.
| - Password: Active Directory username and password.
- TruU Desktop Authenticator: FIDO2 authenticator (recommended) or certificate-based authentication.
| - Password: synced account username and password (if used).
- TruU Desktop Authenticator: FIDO2 authenticator.
|
| Management | - Managed via Group Policy Objects (GPOs) from on-premises Active Directory.
| - Managed via Group Policy and/or Intune policies.
| - Managed through Intune (or another MDM solution) with cloud policy enforcement.
|
| On-premises resources | - Full, native access to internal resources (file shares, printers, intranet apps).
| - Full access to on-premises resources (Kerberos) because the device maintains an AD trust.
| - Limited/no native access; typically requires VPN/proxy and Kerberos key trust or connectors (as configured).
|
| Cloud resources | - No Primary Refresh Token (PRT) from Microsoft Entra ID.
- Seamless sign-in to Microsoft Entra-protected resources is not available.
| - Full access to Microsoft Entra-protected cloud resources (Microsoft 365, Teams, OneDrive).
- PRT is issued at sign-in.
| - Full, direct access to Microsoft Entra-protected cloud resources (Microsoft 365, Teams, OneDrive).
- PRT is issued at sign-in.
|
| Internet dependency | - No dependency for authentication on the corporate network.
| - Moderate dependency for syncing with Microsoft Entra ID and receiving MDM policy updates.
| - High dependency for authentication and device compliance checks.
|
| Ideal for | - On-premises organizations with minimal cloud integration.
- Environments requiring strict internal control.
| | - Cloud-first or fully remote organizations using Microsoft Entra ID.
|
TruU Authentication Modalities
TruU supports two primary authentication modalities that can be applied across all device join types — FIDO2 (Virtual FIDO Key) and Smartcard / Certificate-Based Authentication (Virtual Smartcard). Each serves a distinct purpose, depending on your organization’s identity architecture and compliance standards.
| TruU FIDO2 Authenticator (virtual FIDO key) | TruU Smartcard CBA (virtual smartcard) |
|---|
| Purpose | - Passwordless, phishing-resistant user sign-in.
- Strong cryptographic validation without passwords.
| - Certificate-based authentication using smartcard credentials.
- Common fit for PKI / smartcard environments.
|
| Technology | - FIDO2 / WebAuthn + CTAP.
- Public/private key pairs protected by device security (e.g., TPM).
| - X.509 certificates (PKI).
- Keys/certs stored on smartcard/virtual smartcard (TPM-backed).
|
| Standards | - Open FIDO Alliance standard.
- Broad OS and browser support.
| - PKI-based authentication model.
|
| Authentication | - User validates via TruU FIDO2 Authenticator using biometrics or PIN.
- FIDO2 assertion is used for sign-in where configured.
| - User authenticates with a smartcard certificate.
- Fits Windows smartcard logon / certificate flows.
|
| Device join type | - Supported: Microsoft Entra hybrid joined and Microsoft Entra joined devices.
- Not intended: Active Directory joined only (AD-only) devices.
| - Recommended: Active Directory joined (AD-only) devices for smartcard/CBA logon needs.
- Supported (with prerequisites): Microsoft Entra hybrid joined (see prerequisites/notes).
|
| On-premises resource access | - Hybrid joined: Access via AD trust/Kerberos as normal.
- Entra joined: on-prem access requires Kerberos key trust to obtain Kerberos tickets for AD resources.
| - AD joined: native access to on-prem resources.
- Hybrid joined: can access on-prem resources.
|
| Revocation | - No certificate revocation (CRL/OCSP) lifecycle.
- Remove/disable the registered authenticator to block usage.
| - Certificate revocation via CRLs/OCSP per PKI policy.
|
| Deployment / operations | - Typically, simpler at scale.
- Managed through endpoint and identity policy (e.g., Intune + Entra policies).
| - Requires PKI: certificate issuance, renewal, and lifecycle management.
|
| rerequisites / notes | - Enable TruU FIDO2 Keys in Entra ID.
- Hybrid Entra Joined: Configuring Cloud Kerberos Trust with Microsoft Entra ID is required to user TruU FIDO2 authenticator with Hybrid Entra Joined devices.
- Entra joined: Optional - To access on-prem resources, you need Cloud Kerberos Trust (plus network path such as VPN/proxy as applicable).
| - AD joined: smartcard/CBA is the recommended option when certificate-based logon is required.
- Hybrid joined: to use CBA and still get a PRT for seamless SSO to Microsoft 365/Office apps, enable Microsoft Entra ID CBA (per Entra policy) for Entra ID apps apps can obtain PRT-based SSO.
|
WA Configuration Options
AD (Domain Joined) - CBA
