Oct 12 2021
- last edited on
Jan 14 2022
We have domain joined Windows 10 computers, synced to Azure AD (hybrid join). In Azure we have conditional access MFA. Devices are managed by MECM/Intune.
How can we enable MFA prompt during Windows login? I know that Windows Hello and FIDO2 exists however this route has a lot of overhead compared to having a GINA/CP logon agent.
This isn't anything new or ground breaking, we want to enable Authenticator MFA prompt when users login with their username/password to the workstation.
Duo and Okta has this feature for many years now. It has been requested and suggested on the now defunct. Azure feedback site for awhile.
Is there anything in the works to have something like this? Not everyone in the enterprise wants to roll Windows Hello or FIDO2.
Oct 13 2021 12:17 AM
@Mirza Dedic Hello, yes of course. You can go passwordless with the Authenticator, you can even narrow it down so it's the only option that can be used (but perhaps not recommended). You simply have to enable it in Azure and add your users.
Then use a conditional access policy requiring MFA and direct your users to https://aka.ms/mysecurityinfo to set up their info.
You can also use a TAP if no other methods are set up
Oct 13 2021 01:29 PM
@ChristianJBergstrom How do you set up a conditional access policy to require MFA at windows logon?
Oct 13 2021 11:36 PM
Oct 14 2021 12:25 AM
Oct 25 2021 02:41 PM
Oct 26 2021 10:54 AM - edited Oct 26 2021 11:05 AM
It would be beneficial if we can leverage our existing MFA (AAD P2) subscription without additional overhead of carrying around a Yubico FIDO2 security key.
If there was a Windows GINA/CP logon agent that can be deployed and invoked during login, it would be trivial to roll this out in an MECM/Intune managed environment. It would be very useful for us.
Oct 26 2021 11:36 AM
Oct 26 2021 12:46 PM - edited Oct 26 2021 12:48 PM
I think I understand what the requirement here is - you simply want to require username/password and MFA Authenticator at Windows login without 3rd party and without FIDO2 keys. As far as I know, this is not possible.
Even if it would I would argue this does not really give you a good user experience to require you to bring out your phone every time you need to login to your computer and every time you need to unlock your screen.
What you can do once the user is logged in, you can require MFA to access any cloud resources using Conditional Access. Sure, you can login to the computer but you can't access anything without MFA.
We see best user experience to ask users to enroll for Windows Hello for Business using Face login andnhave cameras that support it. But WHfB does not roam multiple computers so it mostly usable on personal/laptop computers.