FIDO2 security keys can be used to sign in to Azure AD by choosing ThinC-AUTH as the credential provider at the Windows 10 lock screen. A username or password is not required which makes it an ideal solution for first line workers who share PCs among multiple users. They are also an excellent authentication option when corporate policies dictate that a user's credentials must be physically separate from their device (PC). Users can also choose to sign in to web sites by using ThinC-AUTH inside of the Microsoft Edge browser on Windows 10 version 1809 or higher.

Azure portal settings

While administrators can manually provision ThinC-AUTH and distribute them to end users, provisioning and enabling ThinC-AUTH on the Windows 10 lock screen will be supported through Intune. Administrators will also need to use the Azure portal to enable hardware token devices as a passwordless authentication method.

Register ThinC-AUTH

Deploying ThinC-AUTH also requires that users register their keys using combined registration. With combined registration, users register once and get the benefits of both Azure Multi-Factor Authentication and single sign-on password reset (SSPR). There are two ways of setting of FIDO2 authentication with Microsoft account as belows.

Users can choose to sign in to web sites by using ThinC-AUTH inside of the Microsoft Edge browser on Windows 10 version 1809 or higher. Both users with Microsoft account and Azure AD account can login to cloud inside of the Microsoft Edge.  But to unlock windows 10 screen can be done only by users with Azure AD account. The detail description of setting procedures are shown in different page below.

Unlock to Windows 10 screen can be done by Azure AD account on Azure AD joined device, together with Azure AD login. Therefore after unlock Windows 10 screen, user can login to Azure AD or Office 365 without another user authentication.  In both cases, to enroll fingerprints inside ThinC-AUTH is the same.