[FIXED] How to prevent sign in page from asking new users for additional security verification

MVP

Update: thanks for all the suggestions, I figured out it was the Windows insider that was causing it.

when I installed Windows 10 build 1909 on a Hyper-V VM and signed into it during installation using AAD, i was not asked to provide phone number.

it was also a new user that I created with no admin rights. 

 

I'm trying to build an AAD-based environment, created few users with standard rights (non-administrators). when I go to one of my Windows 10 machines and try to join it to AAD using work/school account, after entering Email and password, I'm presented with this screen asking for phone number and verification. I'm looking for a way to stop it from appearing.

there is another option in that drop down menu that is for using authenticator app to receive codes but I want to entirely disable this "additional security verification" for the users I create in my ADD. 

 

Untitled.png

 

5 Replies

@HotCakeX This prompt would be from the self-service password reset functions in AAD. If you attempt to disable it, then users would not be able to reset their own password. 

 

If you want to try, in AzureAD set Self Service Password Reset to either select or none. Then redo the join.

 

The prompt will still appear if you require AzureAD MFA as well. When you join a PC, it will MFA the user. 

 

Cheers

 

Craig

 

Spoiler

@Craig Wilson wrote:

@HotCakeX This prompt would be from the self-service password reset functions in AAD. If you attempt to disable it, then users would not be able to reset their own password. 

 

If you want to try, in AzureAD set Self Service Password Reset to either select or none. Then redo the join.

 

The prompt will still appear if you require AzureAD MFA as well. When you join a PC, it will MFA the user. 

 

Cheers

 

Craig


 

Hi @Craig Wilson 

Thank you,

so I went to my Azure Active Directory Admin Center
https://aad.portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/PasswordReset

and it was set to "none" by default

 

And then I saw this notice:

 

  • "These settings only apply to end users in your organization. Admins are always enabled for self-service password reset and are required to use two authentication methods to reset their password. Click here to learn more about administrator password policies."

 

So I think end-users are normal/standard/non-admin users.

 

Spoiler
Annotation 2019-11-11 130839.png

 

so far everything is set correctly, right?

but I am still getting this message!

 

Annotation 2019-11-11 131742.png

 

 

@Craig Wilson 

I also checked out this place

 

Annotation 2019-11-11 133548.png

 

Everything looks fine here too.

 

is there any other place I can check? I have no idea why it's still telling me that my organization needs additional information.

 

by the way, I'm using trial 1 month subscription for Office 365 Business Premium.

@HotCakeX 

In Windows 10 version 1803 Microsoft introduced a setting that required accounts to have a password reset option. The setting was forced for Admin accounts. This could be what is impacting you. The settings you have shown are the correct ones for disabling self-service password reset. 

 

The method to get around the local admin being forced was to create a local user first on the workstation, then disable the local policy. This would not work on a clean install as someone would have to login first.

 

How are you deploying Windows 10 is it via autopilot? 

 

You could try setting the account up for password reset then try the Windows 10 again? You should be able to do this by assigning a user a mobile number in Azure AD.

 

I will try a few things later today and see if I can get the around the prompt.

 

Cheers

 

Craig

 

Thank you very much,

I haven't deployed it anywhere, just testing it on my local machine but I will try it on Hyper-V VM soon and report back.
this time i will signing into my AAD account instead during the first Windows setup screen and will choose a non-insider build.