Forum Discussion
[FIXED] How to prevent sign in page from asking new users for additional security verification
Update: thanks for all the suggestions, I figured out it was the Windows insider that was causing it.
when I installed Windows 10 build 1909 on a Hyper-V VM and signed into it during installation using AAD, i was not asked to provide phone number.
it was also a new user that I created with no admin rights.
I'm trying to build an AAD-based environment, created few users with standard rights (non-administrators). when I go to one of my Windows 10 machines and try to join it to AAD using work/school account, after entering Email and password, I'm presented with this screen asking for phone number and verification. I'm looking for a way to stop it from appearing.
there is another option in that drop down menu that is for using authenticator app to receive codes but I want to entirely disable this "additional security verification" for the users I create in my ADD.
- CraigWilson_Brass Contributor
HotCakeX This prompt would be from the self-service password reset functions in AAD. If you attempt to disable it, then users would not be able to reset their own password.
If you want to try, in AzureAD set Self Service Password Reset to either select or none. Then redo the join.
The prompt will still appear if you require AzureAD MFA as well. When you join a PC, it will MFA the user.
Cheers
Craig
- Spoiler
CraigWilson_ wrote:HotCakeX This prompt would be from the self-service password reset functions in AAD. If you attempt to disable it, then users would not be able to reset their own password.
If you want to try, in AzureAD set Self Service Password Reset to either select or none. Then redo the join.
The prompt will still appear if you require AzureAD MFA as well. When you join a PC, it will MFA the user.
Cheers
Craig
Hi CraigWilson_
Thank you,
so I went to my Azure Active Directory Admin Center
https://aad.portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/PasswordResetand it was set to "none" by default
And then I saw this notice:
- "These settings only apply to end users in your organization. Admins are always enabled for self-service password reset and are required to use two authentication methods to reset their password. Click here to learn more about administrator password policies."
So I think end-users are normal/standard/non-admin users.
so far everything is set correctly, right?
but I am still getting this message!
I also checked out this place
Everything looks fine here too.
is there any other place I can check? I have no idea why it's still telling me that my organization needs additional information.
by the way, I'm using trial 1 month subscription for Office 365 Business Premium.
- CraigWilson_Brass Contributor
In Windows 10 version 1803 Microsoft introduced a setting that required accounts to have a password reset option. The setting was forced for Admin accounts. This could be what is impacting you. The settings you have shown are the correct ones for disabling self-service password reset.
The method to get around the local admin being forced was to create a local user first on the workstation, then disable the local policy. This would not work on a clean install as someone would have to login first.
How are you deploying Windows 10 is it via autopilot?
You could try setting the account up for password reset then try the Windows 10 again? You should be able to do this by assigning a user a mobile number in Azure AD.
I will try a few things later today and see if I can get the around the prompt.
Cheers
Craig