Apr 29 2018
- last edited on
Jan 14 2022
I am trying to figure out where to change the security settings on Office 365 when a user logs on to a new device for the first time.
Story: I created a new Office 365 tenant, added some standard users (no sync, just cloud users), leaving all settings at their defaults. This means no MFA, no extra device policy, etc. Then I joined a new / re-installed Windows 10 laptop to Azure AD by selecting 'this laptop is for work' in the OOBE (aka first run experience). Then, again using a standard user, I get two remarks regarding authentication:
During testing, it seems that step 2 is a consequence of step 1. But I am not 100% sure.
My question is: where do these requirements come from? I haven't set any of these settings. I looked 'everywhere' in the Office 365 admin portal and in the Azure Portal but could not find any setting that regulates this experience. For example:
I tested this on two new tenants, with two laptops, and the experience was the same.
I want to disable these requirements for a specific tenant with low security requirements. If someone can point me in the right direction that would be great.
Apr 29 2018 11:19 AMSolution
Yup, they are connected. The PIN code requirement is enforced from the device, that's basically the "gesture" used for Windows Hello (or the fallback in this scenario). As this is considered very sensitive, it triggers the MFA challenge as well. You can disable it via GPOs (not recommended) or you can use an Intune policy that does not require Windows Hello (and thus the MFA challenge): https://docs.microsoft.com/en-us/intune-classic/deploy-use/control-microsoft-passport-settings-on-de...
Apr 29 2018 12:27 PM
Thanks! So my preliminary conclusion was right. The PIN code triggers the MFA requirement. I just did not realize that the PIN code comes from Windows Hello for Business and you pointed me in the right direction.
Apparently, disabling Windows Hello for Business requires Intune, and cannot be done using the Office 365 built-in MDM device policies. When searching for "office 365 disable windows hello" I see a lot of disappointment that you need Intune to disable this behavior when exclusively using Azure AD joined devices. Microsoft requiring clients to spend money to disable a forcefully pushed security feature? Not the way to go I think for Microsoft.
Well, at least now I know and I can advise my client on the options available.
May 16 2018 10:27 AM
Yes, but if we have it disabled via Intune, it still challenges to create a PIN. I have several customers who do not want to leverage a PIN and have Hello completely disabled and Windows STILL challenges us to create a pin on first login. This flies in the face of the intended config.
Oct 13 2020 09:32 AM
@WgTech701 If you join the computer to a domain with default security settings the demand for Hello and PIN code is not enforced. Perhaps not what you are looking for.
Dec 19 2021 05:15 PM
@Marco de Bock For me, I found the requirements were coming from the Security Defaults on the new Azure Domain. Disabling them removed the "Your admin has required that you set up this account for additional security verification" message during AutoPilot and basically work. Hope this helps someone!