Forum Discussion
Mirza Dedic
Oct 13, 2021Brass Contributor
Request for Windows GINA/CP logon agent for Microsoft Authenticator (MFA)?
Hi, We have domain joined Windows 10 computers, synced to Azure AD (hybrid join). In Azure we have conditional access MFA. Devices are managed by MECM/Intune. How can we enable MFA prompt dur...
Oct 13, 2021
Mirza Dedic Hello, yes of course. You can go passwordless with the Authenticator, you can even narrow it down so it's the only option that can be used (but perhaps not recommended). You simply have to enable it in Azure and add your users.
Then use a conditional access policy requiring MFA and direct your users to https://aka.ms/mysecurityinfo to set up their info.
You can also use a TAP if no other methods are set up
For reference
Passwordless sign-in with the Microsoft Authenticator app - Azure Active Directory | Microsoft Docs
Steve Whitcher
Oct 13, 2021Bronze Contributor
ChristianJBergstrom How do you set up a conditional access policy to require MFA at windows logon?
- Oct 14, 2021
Steve Whitcher BilalelHadd Hello folks, seems as I misinterpreted the initial question. As noted I responded as how to configure passwordless with Authenticator.
What's the use case here Mirza Dedic? Ever considered using FIDO2 keys if security is the primary requirement.
- Mirza DedicOct 25, 2021Brass ContributorThe use case here is to protect Windows login with strong authentication by enabling multi-factor during login process (as an alternative to Windows Hello). When I login to Windows using my corporate user/pass, use Authenticator app to approve/deny the login.
Duo does this for us, it prompts for MFA during login to Windows. We would like to standardize on using Azure MFA (conditional access). Okta has an agent you can install that does this as well.
Here is what it looks like: https://i.ibb.co/Lknzc7S/login-ss.png- Oct 25, 2021I get it, and the FIDO2 not an option?
- BilalelHaddOct 14, 2021Iron ContributorThere isn't such functionality within Conditional Access that will require users to use MFA when signing in. So in the above scenario, Windows Hello for Business is the way to go.