Forum Discussion

FabianUni's avatar
FabianUni
Copper Contributor
Apr 15, 2026

MFA Options for Employees without Phones

Hello everbody, we're currently trying to implement MFA in our company, but approximately 1/10 of our employees have a workphone and are not allowed to use their personal phone. Since we also recen...
Conditional Access
MFA
microsoft entra
FabianUni's avatar
FabianUni
Copper Contributor
Apr 20, 2026

Hello Luca,

thanks for the thorough answer. Just to clarify again. Theres 10-20% people who HAVE a work phone. So most employees are without it.

I've tried using TAP to enroll into Windows Hello, which worked fine, but then i couldn't login with the specified pin. It showed me an error such as:

To get it to work, i had to login into the account via password and then change the pin manually in the windows hello settings, which is obviously less than ideal.

If possible we would like to avoid using any hardware tokens or a fido2 key.

1. Right now, we have around 30% Business Premium and the rest on Business Standard, with the plan to shift everyone to Business Premium.

2. Were in a Hybrid AD setup

3. Every user has their own device.

DerekMorgan2's avatar
DerekMorgan2
Brass Contributor
Apr 22, 2026

Hey FabianUni​  — thanks, that detail helps.

I agree with the main point from Lucaraheller​: WHfB isn’t meant to “skip” the initial proof-up step. TAP is the right bootstrap, but the environment still has to support WHfB end-to-end.

For the error “That option is temporarily unavailable… use a different method to sign in” on hybrid setups, this commonly points to the device not being able to complete the on‑prem AD validation/trust path at sign-in (join state, trust model, or DC connectivity), even if enrollment looked successful.

Quick triage questions:

  1. Are the devices Entra hybrid joined or Entra joined?
  2. Which WHfB model are you using: Cloud Kerberos trust, Key trust, or Certificate trust?
  3. Does the PIN failure happen only off-network/no VPN pre-logon (no DC line-of-sight), or even on LAN?
  4. On an affected device, what do these show?
    • dsregcmd /status
    • Test-ComputerSecureChannel -Verbose

 

Real-world constraint (since most users don’t have phones): if you want to avoid hardware keys, you basically have two viable paths:

A) Allow Microsoft Authenticator on personal devices (and formalize the BYOD/policy side), OR

B) Make the corporate Windows 11 endpoint the only supported experience and use Conditional Access to block or limit Microsoft 365 access from unmanaged/personal devices (so users don’t get a mixed-message experience).

Important nuance: even if you lock Microsoft 365 down to managed/compliant corporate devices, you still need MFA (or an authentication strength). Device restrictions control where access happens; they don’t replace how you authenticate.

References:

  • Temporary Access Pass (TAP): https://learn.microsoft.com/en-us/entra/identity/authentication/howto-authentication-temporary-access-pass
  • WHfB Cloud Kerberos trust (hybrid): https://learn.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/deploy/hybrid-cloud-kerberos-trust?tabs=intune
  • Require compliant device (Conditional Access): https://learn.microsoft.com/en-us/entra/identity/conditional-access/policy-all-users-device-compliance
  • App enforced restrictions (unmanaged devices): https://learn.microsoft.com/en-us/entra/identity/conditional-access/policy-all-users-app-enforced-restrictions
  • Device filters (Conditional Access): https://learn.microsoft.com/en-us/entra/identity/conditional-access/concept-condition-filters-for-devices
  • Authentication strengths: https://learn.microsoft.com/en-us/entra/identity/authentication/concept-authentication-strengths