Sep 28 2020 05:52 AM
Hi,
We have an environment full of Azure AD joined Windows 10 devices.
We want to enforce MFA (Hello).
If we set a Windows Hello Intune policy then a user can skip therefore it is not enforced. We have tested the MFA registration policy, my understanding is that after 14 days of skipping it should lock the user out of any MS cloud service... but it doesn't, it doesn't seem to do a lot.
Also - even once Hello is registered a user still has the option of logging into the desktop using username and password and therefore bypassing the MFA....
Has anyone got anything similar working?
Thanks
Sep 28 2020 06:21 AM
Sep 28 2020 11:35 AM
@Thijs Lecomte thanks for responding.
I am a bit confused now. As far as I am aware Windows Hello for Business is MFA.... you have the devices certificate plus another form (pin, facial recognition etc.).
or are you saying that when Azure/M365 refer to MFA they are talking about password + sms/app only and Windows Hello doesn't count as MFA (e.g. for MFA registration policy, conditional access etc.)?