Forum Discussion

Marco de Bock's avatar
Marco de Bock
Copper Contributor
Apr 29, 2018
Solved

Default security settings for Office 365 for first account logon on new device

I am trying to figure out where to change the security settings on Office 365 when a user logs on to a new device for the first time.   Story: I created a new Office 365 tenant, added some standard...
Access Management
Azure Active Directory (AAD)
microsoft 365
VasilMichev's avatar
VasilMichev
MVP
Apr 29, 2018

Yup, they are connected. The PIN code requirement is enforced from the device, that's basically the "gesture" used for Windows Hello (or the fallback in this scenario). As this is considered very sensitive, it triggers the MFA challenge as well. You can disable it via GPOs (not recommended) or you can use an Intune policy that does not require Windows Hello (and thus the MFA challenge): https://docs.microsoft.com/en-us/intune-classic/deploy-use/control-microsoft-passport-settings-on-devices-with-microsoft-intune

  • Azim null's avatar
    Azim null
    Copper Contributor
    May 16, 2018

    Yes, but if we have it disabled via Intune, it still challenges to create a PIN. I have several customers who do not want to leverage a PIN and have Hello completely disabled and Windows STILL challenges us to create a pin on first login. This flies in the face of the intended config. 

    • Steve Tinsley's avatar
      Steve Tinsley
      Copper Contributor
      Jan 06, 2020

      Azim null 

       

      Did you get an answer on this??

      • WgTech701's avatar
        WgTech701
        Copper Contributor
        Oct 06, 2020

        Did anyone get a resolution for this?   Steve Tinsley 

  • Marco de Bock's avatar
    Marco de Bock
    Copper Contributor
    Apr 29, 2018

    Hi Vasil,

     

    Thanks! So my preliminary conclusion was right. The PIN code triggers the MFA requirement. I just did not realize that the PIN code comes from Windows Hello for Business and you pointed me in the right direction.

     

    Apparently, disabling Windows Hello for Business requires Intune, and cannot be done using the Office 365 built-in MDM device policies. When searching for "office 365 disable windows hello" I see a lot of disappointment that you need Intune to disable this behavior when exclusively using Azure AD joined devices. Microsoft requiring clients to spend money to disable a forcefully pushed security feature? Not the way to go I think for Microsoft.

     

    Well, at least now I know and I can advise my client on the options available.

     

    Thanks again,

    Marco

     

     

     

Resources