I am trying to figure out where to change the security settings on Office 365 when a user logs on to a new device for the first time.
Story: I created a new Office 365 tenant, added some standard users (no sync, just cloud users), leaving all settings at their defaults. This means no MFA, no extra device policy, etc. Then I joined a new / re-installed Windows 10 laptop to Azure AD by selecting 'this laptop is for work' in the OOBE (aka first run experience). Then, again using a standard user, I get two remarks regarding authentication:
A PIN code is required for extra security at logon ("Your organization requires Windows Hello") > Set up PIN.
The user needs to confirm its identity. ("Your admin has required that you set up this account for additional security verification") > Set it up now. Options are phone call, SMS or mobile app).
During testing, it seems that step 2 is a consequence of step 1. But I am not 100% sure.
My question is: where do these requirements come from? I haven't set any of these settings. I looked 'everywhere' in the Office 365 admin portal and in the Azure Portal but could not find any setting that regulates this experience. For example:
AAD admin center > Devices > Device Settings > Require MFA to join devices: No (=default)
AAD admin center > Devices Password Reset > Registration > Require users to register when signing in: No (switched from the default yes, but as expected had no effect)
I tested this on two new tenants, with two laptops, and the experience was the same.
I want to disable these requirements for a specific tenant with low security requirements. If someone can point me in the right direction that would be great.
Thanks! So my preliminary conclusion was right. The PIN code triggers the MFA requirement. I just did not realize that the PIN code comes from Windows Hello for Business and you pointed me in the right direction.
Apparently, disabling Windows Hello for Business requires Intune, and cannot be done using the Office 365 built-in MDM device policies. When searching for "office 365 disable windows hello" I see a lot of disappointment that you need Intune to disable this behavior when exclusively using Azure AD joined devices. Microsoft requiring clients to spend money to disable a forcefully pushed security feature? Not the way to go I think for Microsoft.
Well, at least now I know and I can advise my client on the options available.
Yes, but if we have it disabled via Intune, it still challenges to create a PIN. I have several customers who do not want to leverage a PIN and have Hello completely disabled and Windows STILL challenges us to create a pin on first login. This flies in the face of the intended config.