> ## Documentation Index
> Fetch the complete documentation index at: https://docs.truu.ai/llms.txt
> Use this file to discover all available pages before exploring further.
# Modalities
> Active Directory (AD) Joined, Hybrid Joined (AD + Cloud), and Entra ID Joined (Cloud) Devices represent different approaches to managing authentication and access in an organization, each leveraging specific authentication protocols to meet unique business needs. TruU integrates seamlessly with your existing identity architecture, whether your organization uses AD, Hybrid, or Entra ID. It enhances security by enabling passwordless authentication, leveraging protocols like FIDO2 or extending your current authentication stack to provide a unified and secure user experience across all environments.
## Device Join Modalities
The following table outlines how devices behave in each join type — including how they authenticate, how they are managed, and their access to cloud and on-premises resources.
| **Feature** | **Active Directory joined** | **Microsoft Entra hybrid joined** | **Microsoft Entra joined** |
| :------------------------ | :---------------------------------------------------------------------------------------------------------------------------------------------------------- | :---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | :--------------------------------------------------------------------------------------------------------------------------------------------------------- |
| **What it means** | - Device is joined to on-premises Active Directory.
- Sign-in requires an Active Directory account.
| - Device is joined to on-premises Active Directory.
- Device identity is registered/synced to Microsoft Entra ID.
- Sign-in uses an Active Directory account.
| - Device is joined to Microsoft Entra ID (cloud).
- Sign-in uses a Microsoft Entra account (or a synced account if applicable).
|
| **Authentication** | - Password: Active Directory username and password.
- TruU Desktop Authenticator: certificate-based authentication.
| - Password: Active Directory username and password.
- TruU Desktop Authenticator: FIDO2 authenticator (recommended) or certificate-based authentication.
| - Password: synced account username and password (if used).
- TruU Desktop Authenticator: FIDO2 authenticator.
|
| **Management** | - Managed via Group Policy Objects (GPOs) from on-premises Active Directory.
| - Managed via Group Policy and/or Intune policies.
| - Managed through Intune (or another MDM solution) with cloud policy enforcement.
|
| **On-premises resources** | - **Full, native access** to internal resources (file shares, printers, intranet apps).
| - **Full access** to on-premises resources (Kerberos) because the device maintains an AD trust.
| - **Limited/no native access**; typically requires VPN/proxy and Kerberos key trust or connectors (as configured).
|
| **Cloud resources** | - No Primary Refresh Token (PRT) from Microsoft Entra ID.
- Seamless sign-in to Microsoft Entra-protected resources is not available.
| - **Full access** to Microsoft Entra-protected cloud resources (Microsoft 365, Teams, OneDrive).
- PRT is issued at sign-in.
| - **Full, direct access** to Microsoft Entra-protected cloud resources (Microsoft 365, Teams, OneDrive).
- PRT is issued at sign-in.
|
| **Internet dependency** | - **No dependency** for authentication on the corporate network.
| - **Moderate** dependency for syncing with Microsoft Entra ID and receiving MDM policy updates.
| - **High** dependency for authentication and device compliance checks.
|
| **Ideal for** | - On-premises organizations with minimal cloud integration.
- Environments requiring strict internal control.
| | - Cloud-first or fully remote organizations using Microsoft Entra ID.
|
## TruU Authentication Modalities
TruU supports two primary authentication modalities that can be applied across all device join types — FIDO2 (Virtual FIDO Key) and Smartcard / Certificate-Based Authentication (Virtual Smartcard). Each serves a distinct purpose, depending on your organization’s identity architecture and compliance standards.
| | **TruU FIDO2 Authenticator (virtual FIDO key)** | **TruU Smartcard CBA (virtual smartcard)** |
| :------------------------------ | :---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | :------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
| **Purpose** | - Passwordless, phishing-resistant user sign-in.
- Strong cryptographic validation without passwords.
| - Certificate-based authentication using smartcard credentials.
- Common fit for PKI / smartcard environments.
|
| **Technology** | - FIDO2 / WebAuthn + CTAP.
- Public/private key pairs protected by device security (e.g., TPM).
| - X.509 certificates (PKI).
- Keys/certs stored on smartcard/virtual smartcard (TPM-backed).
|
| **Standards** | - Open FIDO Alliance standard.
- Broad OS and browser support.
| - PKI-based authentication model.
|
| **Authentication** | - User validates via TruU FIDO2 Authenticator using biometrics or PIN.
- FIDO2 assertion is used for sign-in where configured.
| - User authenticates with a smartcard certificate.
- Fits Windows smartcard logon / certificate flows.
|
| **Device join type** | - **Supported:** Microsoft Entra hybrid joined and Microsoft Entra joined devices.
- **Not intended:** Active Directory joined only (AD-only) devices.
| - **Recommended:** Active Directory joined (AD-only) devices for smartcard/CBA logon needs.
- **Supported (with prerequisites):** Microsoft Entra hybrid joined (see prerequisites/notes).
|
| **On-premises resource access** | - Hybrid joined: Access via AD trust/Kerberos as normal.
- Entra joined: on-prem access requires Kerberos key trust to obtain Kerberos tickets for AD resources.
| - AD joined: native access to on-prem resources.
- Hybrid joined: can access on-prem resources.
|
| **Revocation** | - No certificate revocation (CRL/OCSP) lifecycle.
- Remove/disable the registered authenticator to block usage.
| - Certificate revocation via CRLs/OCSP per PKI policy.
|
| **Deployment / operations** | - Typically, simpler at scale.
- Managed through endpoint and identity policy (e.g., Intune + Entra policies).
| - Requires PKI: certificate issuance, renewal, and lifecycle management.
|
| **rerequisites / notes** | - **Enable** TruU FIDO2 Keys in Entra ID.
- **Hybrid Entra Joined:** Configuring **Cloud Kerberos Trust** with Microsoft Entra ID is required to user TruU FIDO2 authenticator with Hybrid Entra Joined devices.
- **Entra joined:** Optional - To access on-prem resources, you need **Cloud Kerberos Trust** (plus network path such as VPN/proxy as applicable).
| - **AD joined:** smartcard/CBA is the recommended option when certificate-based logon is required.
- **Hybrid joined:** to use CBA and still get a **PRT** for seamless SSO to Microsoft 365/Office apps, enable **Microsoft Entra ID CBA** (per Entra policy) for Entra ID apps apps can obtain PRT-based SSO.
|
TruU’s support for both FIDO2 and Smartcard-based authentication ensures compatibility with diverse enterprise environments. Organizations can adopt passwordless authentication at their own pace, aligning with existing infrastructure and compliance goals.
***
[WA Configuration Options](/docs/wa-configuration-options)
[AD (Domain Joined) - CBA](/docs/wa-hybrid-azure-ad-domain-joined)