Forum Discussion
Mirza Dedic
Oct 13, 2021Brass Contributor
Request for Windows GINA/CP logon agent for Microsoft Authenticator (MFA)?
Hi, We have domain joined Windows 10 computers, synced to Azure AD (hybrid join). In Azure we have conditional access MFA. Devices are managed by MECM/Intune. How can we enable MFA prompt dur...
Oct 25, 2021
I get it, and the FIDO2 not an option?
Mirza Dedic
Oct 26, 2021Brass Contributor
It would be beneficial if we can leverage our existing MFA (AAD P2) subscription without additional overhead of carrying around a Yubico FIDO2 security key.
If there was a Windows GINA/CP logon agent that can be deployed and invoked during login, it would be trivial to roll this out in an MECM/Intune managed environment. It would be very useful for us.
- Oct 26, 2021Not sure when the replacement for Azure UserVoice will be live (Teams UV is still active) but I found this very old request and have no idea if this is the new one.. https://feedback.azure.com/d365community/idea/0fa56c4f-b125-ec11-b6e6-000d3a4f0789
It would have been great to access the former site to see the comments on the MFA requests.
For reference
https://support.microsoft.com/en-us/office/uservoice-pages-430e1a78-e016-472a-a10f-dc2a3df3450a- JonasBackOct 26, 2021Steel Contributor
I think I understand what the requirement here is - you simply want to require username/password and MFA Authenticator at Windows login without 3rd party and without FIDO2 keys. As far as I know, this is not possible.
Even if it would I would argue this does not really give you a good user experience to require you to bring out your phone every time you need to login to your computer and every time you need to unlock your screen.
What you can do once the user is logged in, you can require MFA to access any cloud resources using Conditional Access. Sure, you can login to the computer but you can't access anything without MFA.
We see best user experience to ask users to enroll for Windows Hello for Business using Face login andnhave cameras that support it. But WHfB does not roam multiple computers so it mostly usable on personal/laptop computers.