A slightly hidden limitation of Hybrid Cloud Trust • The Occasional Buzz  <meta name="title" content="A slightly hidden limitation of Hybrid Cloud Trust • The Occasional Buzz"> <meta name="description" content="A slightly hidden limitation of Hybrid Cloud Trust"> <meta name="author" content="Ryan Buzzell">  <meta property="og:type" content="article"> <meta property="og:url" content="https://astro.buzzell.io/post/a-slightly-hidden-limitation-of-hybrid-cloud-trust/"> <meta property="og:title" content="A slightly hidden limitation of Hybrid Cloud Trust"> <meta property="og:description" content="A slightly hidden limitation of Hybrid Cloud Trust"> <meta property="og:image" content="https://astro.buzzell.io/_astro/michael-dziedzic-1bjsASjhfkE-unsplash.Uk5qK1wi.jpg"> <meta property="article:author" content="Ryan Buzzell"> <meta property="article:published_time" content="2022-07-27T04:00:00.000Z">  <meta property="twitter:card" content="summary_large_image"> <meta property="twitter:url" content="https://astro.buzzell.io/post/a-slightly-hidden-limitation-of-hybrid-cloud-trust/"> <meta property="twitter:title" content="A slightly hidden limitation of Hybrid Cloud Trust"> <meta property="twitter:description" content="A slightly hidden limitation of Hybrid Cloud Trust"> <meta property="twitter:image" content="https://astro.buzzell.io/_astro/michael-dziedzic-1bjsASjhfkE-unsplash.Uk5qK1wi.jpg">  <link rel="alternate" type="application/rss+xml" title="The Occasional Buzz" href="/rss.xml">

There’s a dependency tree in the MS documentation that’s slightly buried in the MS Documentation. The page Hybrid Cloud Trust Deployment has a pre-req that links back to the setup directions to Enable passwordless security key sign-in to on-premises resources by using Azure AD. That page in turn has a link over to the FAQs for FIDO2. Deployment frequently asked questions (FAQs) for hybrid FIDO2 security keys in Azure AD

At the bottom of that FAQ is a question with an easy answer:

FIDO2 security key sign-in isn’t working for my Domain Admin or other high privilege accounts. Why? The default security policy doesn’t grant Azure AD permission to sign high privilege accounts on to on-premises resources.

What does a random FIDO2 FAQ have to do with a Kerberos trust? Well as it turns out, that answer also applicable to Hybrid Cloud trust because it’s an RODC limitation, and both the question and answer are painfully far away from the Hybrid Cloud Trust page.

TL;DR: Don’t expect HCT to work on an account in Domain Admins, Enterprise Admins, or Schema Admins.

Photo by Michael Dziedzic on Unsplash