Forum Discussion

Marco de Bock's avatar
Marco de Bock
Copper Contributor
Apr 29, 2018
Solved

Default security settings for Office 365 for first account logon on new device

I am trying to figure out where to change the security settings on Office 365 when a user logs on to a new device for the first time.   Story: I created a new Office 365 tenant, added some standard...
Access Management
Azure Active Directory (AAD)
microsoft 365
VasilMichev's avatar
VasilMichev
MVP
Apr 29, 2018

Yup, they are connected. The PIN code requirement is enforced from the device, that's basically the "gesture" used for Windows Hello (or the fallback in this scenario). As this is considered very sensitive, it triggers the MFA challenge as well. You can disable it via GPOs (not recommended) or you can use an Intune policy that does not require Windows Hello (and thus the MFA challenge): https://docs.microsoft.com/en-us/intune-classic/deploy-use/control-microsoft-passport-settings-on-devices-with-microsoft-intune

Marco de Bock's avatar
Marco de Bock
Copper Contributor
Apr 29, 2018

Hi Vasil,

 

Thanks! So my preliminary conclusion was right. The PIN code triggers the MFA requirement. I just did not realize that the PIN code comes from Windows Hello for Business and you pointed me in the right direction.

 

Apparently, disabling Windows Hello for Business requires Intune, and cannot be done using the Office 365 built-in MDM device policies. When searching for "office 365 disable windows hello" I see a lot of disappointment that you need Intune to disable this behavior when exclusively using Azure AD joined devices. Microsoft requiring clients to spend money to disable a forcefully pushed security feature? Not the way to go I think for Microsoft.

 

Well, at least now I know and I can advise my client on the options available.

 

Thanks again,

Marco

 

 

 

Resources