Home

How to logon with Azure AD credentials on a Windows 10 device with MFA enabled

%3CLINGO-SUB%20id%3D%22lingo-sub-217313%22%20slang%3D%22en-US%22%3EHow%20to%20logon%20with%20Azure%20AD%20credentials%20on%20a%20Windows%2010%20device%20with%20MFA%20enabled%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-217313%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20together%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Emaybe%20one%20of%20you%20have%20got%20the%20same%20requirements%20and%20run%20into%20the%20same%20problem.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Esituation%3A%3C%2FP%3E%3CP%3EWindows%2010%20enterprise%20or%20windows%2010%20s%3C%2FP%3E%3CP%3EMicrosoft%20Intune%20Cloud%20(EMS)%3C%2FP%3E%3CP%3EMicrosoft%20Multi-Factor%20Authentication%20(MFA)%20on-premises%20handled%20by%20ADFS%20(internal%20no%20mfa%2C%20external%20(wap)%20force%20mfa)%3C%2FP%3E%3CP%3ECompany%20Wifi%20protected%20with%20certificates%3C%2FP%3E%3CP%3ECredentials%20from%20Azure%20AD%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EProblem%201%3A%3C%2FP%3E%3CP%3EAs%20far%20as%20I%20have%20found%2C%20Intune%20is%20only%20able%20to%20deploy%20user%20certificates%20(SCEP%20profile)%20for%20wifi%20on%20windows%20devices.%20This%20causes%20us%20that%20you%20initially%20can%20only%20logon%20with%20your%20azure%20ad%20credentials%20to%20a%20windows%20machine%20if%20you%20have%20plugged%20in%20the%20company%20network%20or%20you%20have%20a%20public%20wifi%20connection%20with%20no%20authentication%2C%20so%20that%20you%20can%20connect%20to%20a%20wifi%20on%20the%20logon%20screen.%20Does%20anyone%20managed%20to%20deploy%20client%20certificates%20with%20Intune%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EProblem%202%3A%3C%2FP%3E%3CP%3EAs%20mentioned%20above%20we%20use%20MFA%20on-premises%20and%20it%E2%80%99s%20handled%20by%20adfs.%20If%20a%20user%20authenticates%20from%20external%20(over%20wap)%20we%20force%20mfa%20on%20adfs%20side.%20This%20is%20fine%20for%20web%20applications%20and%20other%20apps%20but%20it%20seems%20that%20windows%20logon%20cannot%20handle%20mfa%20request%20and%20therefore%20it%20fails.%20Does%20anyone%20know%20if%20this%20can%20be%20achieved%20somehow%20that%20this%20scenario%20works%3F%20Could%20this%20be%20handled%20by%20conditional%20access%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20goal%20should%20be%20that%20we%20can%20use%20a%20windows%2010%20enterprise%20or%20windows%2010%20s%20device%20with%20azure%20ad%20credentials%20which%20is%20authenticated%20to%20our%20company%20wifi%20network%20at%20logon%20screen%20already%20and%20that%20we%20can%20use%20multi-factor%20authentication%20somehow.%3C%2FP%3E%3CP%3EThanks%20in%20advance%20for%20any%20input!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-217313%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EConditional%20Access%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EIntune%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EMulti-Factor%20Authentication%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3Ewindows%2010%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-218710%22%20slang%3D%22en-US%22%3ERe%3A%20How%20to%20logon%20with%20Azure%20AD%20credentials%20on%20a%20Windows%2010%20device%20with%20MFA%20enabled%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-218710%22%20slang%3D%22en-US%22%3E%3CP%3EThe%20latest%20Windows%2010%20Insider%20build%20(17713%20)%20brings%20us%20Web-sign%20in%2C%20is%20that%20what%20you%20are%20looking%20for%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CEM%3EUntil%20now%2C%20Windows%20logon%20only%20supported%20the%20use%20of%20identities%20federated%20to%20ADFS%20or%20other%20providers%20that%20support%20the%20WS-Fed%20protocol.%20We%20are%20introducing%20%E2%80%9CWeb%20Sign-in%2C%E2%80%9D%20a%20new%20way%20of%20signing%20into%20your%20Windows%20PC.%20Web%20Sign-in%20enables%20Windows%20logon%20support%20for%20%26nbsp%3Bnon-ADFS%20federated%20providers%20(e.g.%20SAML).%3C%2FEM%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CEM%3E%3CI%3E%3CFONT%3E%3CA%20href%3D%22https%3A%2F%2Fblogs.windows.com%2Fwindowsexperience%2F2018%2F07%2F11%2Fannouncing-windows-10-insider-preview-build-17713%2F%23e5zyu08iAdTeBS4s.97%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fblogs.windows.com%2Fwindowsexperience%2F2018%2F07%2F11%2Fannouncing-windows-10-insider-preview-build-17713%2F%23e5zyu08iAdTeBS4s.97%3C%2FA%3E%3C%2FFONT%3E%3C%2FI%3E%3C%2FEM%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-217834%22%20slang%3D%22en-US%22%3ERe%3A%20How%20to%20logon%20with%20Azure%20AD%20credentials%20on%20a%20Windows%2010%20device%20with%20MFA%20enabled%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-217834%22%20slang%3D%22en-US%22%3E%3CP%3EI%20was%20looking%20for%20the%20same%20and%20found%20this%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3E%22No%2C%20you%20cannot%20secure%20console%20loggings%20with%20MFA.%20For%20windows%2010%2C%20you%20can%20perform%20MFA%20when%20doing%20an%20AAD%20Join.%20Once%20that%20is%20done%2C%20the%20device%20is%20considered%20a%20trusted%20device%20and%20MFA%20shouldn%E2%80%99t%20be%20required%20anymore.%20We%20are%20relying%20on%20windows%20password%20and%20windows%20hello%20for%20business%20for%20strong%20authentication%20on%20the%20device.%3C%2FSPAN%3E%22%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Efrom%3A%20%3CA%20href%3D%22https%3A%2F%2Fsocial.msdn.microsoft.com%2FForums%2Fazure%2Fen-US%2Fac4b91ff-b0ec-4b50-a07c-b31696c71cf4%2Fazure-mfa-amp-domain-login-security%3Fforum%3Dwindowsazureactiveauthentication%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fsocial.msdn.microsoft.com%2FForums%2Fazure%2Fen-US%2Fac4b91ff-b0ec-4b50-a07c-b31696c71cf4%2Fazure-mfa-amp-domain-login-security%3Fforum%3Dwindowsazureactiveauthentication%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-217522%22%20slang%3D%22en-US%22%3ERe%3A%20How%20to%20logon%20with%20Azure%20AD%20credentials%20on%20a%20Windows%2010%20device%20with%20MFA%20enabled%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-217522%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Philipp%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Eit's%20currently%20not%20possible%20to%20deploy%20device%20certificates%20with%20Intune.%20There%20is%20a%20uservoice%20item%20for%20it%20where%20you%20can%20vote%20for%3A%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fmicrosoftintune.uservoice.com%2Fforums%2F291681-ideas%2Fsuggestions%2F19805320-deploy-unique-computer-certificates-using-intune-s%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fmicrosoftintune.uservoice.com%2Fforums%2F291681-ideas%2Fsuggestions%2F19805320-deploy-unique-computer-certificates-using-intune-s%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAs%20long%20as%20there%20are%20no%20device%20certificates%20you%20have%20to%20use%20a%20different%20authentication%20for%20your%20Wi-Fi.%20I%20know%20it's%20not%20ideal%20at%20the%20moment.%20My%20customers%20are%20struggling%20with%20this%20fact%20also.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIf%20you%20are%20using%20AAD%20joined%20devices%20then%20I%20suggest%20to%20use%20Windows%20Hello%20for%20Business%20for%20device%20authentication%20(Windows%20Logon).%20This%20gives%20you%20a%20kind%20of%20MFA%20(device%20level%2C%20you%20need%20to%20have%20the%20device%20and%20pin%20or%20biometric)%20for%20the%20Windows%20Logon.%20For%20all%20your%20cloud%20applications%20or%20published%20applications%20via%20Azure%20App%20Proxy%20I%20would%20choose%20Conditional%20Access%20to%20enforce%20MFA.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Ebest%2C%3C%2FP%3E%3CP%3EOliver%3C%2FP%3E%3C%2FLINGO-BODY%3E
Deleted
Not applicable

Hi together,

 

maybe one of you have got the same requirements and run into the same problem.

 

situation:

Windows 10 enterprise or windows 10 s

Microsoft Intune Cloud (EMS)

Microsoft Multi-Factor Authentication (MFA) on-premises handled by ADFS (internal no mfa, external (wap) force mfa)

Company Wifi protected with certificates

Credentials from Azure AD

 

Problem 1:

As far as I have found, Intune is only able to deploy user certificates (SCEP profile) for wifi on windows devices. This causes us that you initially can only logon with your azure ad credentials to a windows machine if you have plugged in the company network or you have a public wifi connection with no authentication, so that you can connect to a wifi on the logon screen. Does anyone managed to deploy client certificates with Intune?

 

Problem 2:

As mentioned above we use MFA on-premises and it’s handled by adfs. If a user authenticates from external (over wap) we force mfa on adfs side. This is fine for web applications and other apps but it seems that windows logon cannot handle mfa request and therefore it fails. Does anyone know if this can be achieved somehow that this scenario works? Could this be handled by conditional access?

 

 

The goal should be that we can use a windows 10 enterprise or windows 10 s device with azure ad credentials which is authenticated to our company wifi network at logon screen already and that we can use multi-factor authentication somehow.

Thanks in advance for any input!

3 Replies

Hi Philipp,

 

it's currently not possible to deploy device certificates with Intune. There is a uservoice item for it where you can vote for:

https://microsoftintune.uservoice.com/forums/291681-ideas/suggestions/19805320-deploy-unique-compute...

 

As long as there are no device certificates you have to use a different authentication for your Wi-Fi. I know it's not ideal at the moment. My customers are struggling with this fact also.

 

If you are using AAD joined devices then I suggest to use Windows Hello for Business for device authentication (Windows Logon). This gives you a kind of MFA (device level, you need to have the device and pin or biometric) for the Windows Logon. For all your cloud applications or published applications via Azure App Proxy I would choose Conditional Access to enforce MFA.

 

best,

Oliver

Highlighted

I was looking for the same and found this:

 

"No, you cannot secure console loggings with MFA. For windows 10, you can perform MFA when doing an AAD Join. Once that is done, the device is considered a trusted device and MFA shouldn’t be required anymore. We are relying on windows password and windows hello for business for strong authentication on the device."

 

from: https://social.msdn.microsoft.com/Forums/azure/en-US/ac4b91ff-b0ec-4b50-a07c-b31696c71cf4/azure-mfa-...

 

The latest Windows 10 Insider build (17713 ) brings us Web-sign in, is that what you are looking for?

 

Until now, Windows logon only supported the use of identities federated to ADFS or other providers that support the WS-Fed protocol. We are introducing “Web Sign-in,” a new way of signing into your Windows PC. Web Sign-in enables Windows logon support for  non-ADFS federated providers (e.g. SAML).

 

https://blogs.windows.com/windowsexperience/2018/07/11/announcing-windows-10-insider-preview-build-1...

 

Related Conversations
Tabs and Dark Mode
cjc2112 in Discussions on
48 Replies
Extentions Synchronization
Deleted in Discussions on
3 Replies
Stable version of Edge insider browser
HotCakeX in Discussions on
35 Replies
How to Prevent Teams from Auto-Launch
chenrylee in Microsoft Teams on
30 Replies
flashing a white screen while open new tab
Deleted in Discussions on
14 Replies
Security Community Webinars
Valon_Kolica in Security, Privacy & Compliance on
13 Replies