A slightly hidden limitation of Hybrid Cloud Trust

active directory Jul 27, 2022

There's a dependency tree in the MS documentation that's slightly buried in the MS Documentation. The page Hybrid Cloud Trust Deployment has a pre-req that links back to the setup directions to Enable passwordless security key sign-in to on-premises resources by using Azure AD. That page in turn has a link over to the FAQs for FIDO2. Deployment frequently asked questions (FAQs) for hybrid FIDO2 security keys in Azure AD

At the bottom of that FAQ is a question with an easy answer:

FIDO2 security key sign-in isn't working for my Domain Admin or other high privilege accounts. Why?

The default security policy doesn't grant Azure AD permission to sign high privilege accounts on to on-premises resources.

What does a random FIDO2 FAQ have to do with a Kerberos trust? Well as it turns out, that answer also applicable to Hybrid Cloud trust because it's an RODC limitation, and both the question and answer are painfully far away from the Hybrid Cloud Trust page.


Don't expect HCT to work on an account in Domain Admins, Enterprise Admins, or Schema Admins.


Ryan Buzzell

Systems Administrator @ General Code | Find me on the macadmins slack @rbuzzell https://macadmins.herokuapp.com/

Great! You've successfully subscribed.
Great! Next, complete checkout for full access.
Welcome back! You've successfully signed in.
Success! Your account is fully activated, you now have access to all content.