Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community

[FIXED] How to prevent sign in page from asking new users for additional security verification

MVP

Update: thanks for all the suggestions, I figured out it was the Windows insider that was causing it.

when I installed Windows 10 build 1909 on a Hyper-V VM and signed into it during installation using AAD, i was not asked to provide phone number.

it was also a new user that I created with no admin rights. 

 

I'm trying to build an AAD-based environment, created few users with standard rights (non-administrators). when I go to one of my Windows 10 machines and try to join it to AAD using work/school account, after entering Email and password, I'm presented with this screen asking for phone number and verification. I'm looking for a way to stop it from appearing.

there is another option in that drop down menu that is for using authenticator app to receive codes but I want to entirely disable this "additional security verification" for the users I create in my ADD. 

 

Untitled.png

 

10 Replies
Are you enrolling them into Intune?

If so, you should disable Windows Hello for Business.
Intune - Device Enrollment - Windows - Hello for BUsiness- put it to disabled.

@Thijs Lecomte 

Hi,

I did what you suggested but it's still asking for phone number.

 

fgsdf.png

 

the user I created is a normal (non-Administrator) user and password reset self service is set to "none".

 

I'm using the Microsoft 365 Business Trial.

 

the Windows 10 that I am trying to sign in into has already a local administrator (an outlook.com personal account).

also I am using Windows 10 insider fast ring build 19018.

 

this is where I am trying to sign in.

 

Annotation 2019-11-11 142639.png

 

So you are trying to log into the new account page?
That's where you are getting MFA?

@Thijs Lecomte 

I'm trying to log in on the page I showed in my screenshot above, Windows 10 settings.

 

also MFA is disabled for all my accounts

 

Annotation 2019-11-11 133548.png

 

Annotation 2019-11-11 130839.png

 

@HotCakeX this could be either Security Defaults (See https://aka.ms/securitydefaults for more info) or Azure AD > Conditional Access (unlikely if you have not configured this).

Also look in Azure AD > Sign Ins and look at the logins, click on Conditional Access and it will say if any policies were applied.

Also FYI that page which shows if MFA enable or no always shows disabled if MFA is enforced through either of the above methods.

Hi,
thank you, that FYI is also very helpful

in my AAD sign-ins, I get this
"To see sign-in data, upgrade your organization's subscription to include Azure AD P1 or P2. Your current license status: Azure AD Free"
I activated E5 enterprise plan trial and now I can see the list, in the conditional access column, it says "not applied", for all of them

also in the ADD conditional access, all of them are off.

 

is it possible that Windows insider program has something to do with this?

@CloudHal I had the same issue and you suggestion helped. Thanks! 

Azure AD -> Properties -> Manage Security defaults and disable Security defaults.

@AdrianStanislawski 

 

I have disabled Azure >> Properties >> Manage Security defaults >> set to "No" 

Capture.PNG

 

and i'm still being prompted with a 2fa when enrolling a new device.

 

How can I turn of 2fa for my entire organization in O365 and Azure.  We use a different IdP and have 2fa turned on with that platform and do not need it in Microsoft.

Hello all,
is there a way to manage "additional security verification" prompt (no Windows Insider OS) ? Windows Hello for Business (Intune) is not configured; Azure > Properties > Manage Security defaults > already set to No.

I noticed it is related to PIN request (for devices joined to Azure AD and managed by Intune): if end-user try to configure PIN, additional security info appears (of course, just first time). Is there a way to force/enable PIN request but disable security verification ?

@lucafabbri365 We are also currently working on Windows Hello for Business.
These laptops are Azure AD Joined and are managed through Intune.
Our customer does not want to use the Microsoft Authenticator app.,
an SMS or telephone call is fine.
How can we disable the Authenticator App. We already have the authenticator app
turned off at. SSPR and at the authentication methods. Nevertheless, we do get
the prompt to use the authenticator app.