Forum Discussion

Marco de Bock's avatar
Marco de Bock
Copper Contributor
Apr 29, 2018

Default security settings for Office 365 for first account logon on new device

I am trying to figure out where to change the security settings on Office 365 when a user logs on to a new device for the first time.

 

Story: I created a new Office 365 tenant, added some standard users (no sync, just cloud users), leaving all settings at their defaults. This means no MFA, no extra device policy, etc. Then I joined a new / re-installed Windows 10 laptop to Azure AD by selecting 'this laptop is for work' in the OOBE (aka first run experience). Then, again using a standard user, I get two remarks regarding authentication:

 

  1. A PIN code is required for extra security at logon ("Your organization requires Windows Hello") > Set up PIN.
  2. The user needs to confirm its identity. ("Your admin has required that you set up this account for additional security verification") > Set it up now. Options are phone call, SMS or mobile app).

During testing, it seems that step 2 is a consequence of step 1. But I am not 100% sure. 

 

My question is: where do these requirements come from? I haven't set any of these settings. I looked 'everywhere' in the Office 365 admin portal and in the Azure Portal but could not find any setting that regulates this experience. For example:

 

  • AAD admin center > Devices > Device Settings > Require MFA to join devices: No (=default)
  • AAD admin center > Devices Password Reset > Registration > Require users to register when signing in: No (switched from the default yes, but as expected had no effect)

I tested this on two new tenants, with two laptops, and the experience was the same.

 

I want to disable these requirements for a specific tenant with low security requirements. If someone can point me in the right direction that would be great.

 

Thanks,

Marco

 

 

 

  • Yup, they are connected. The PIN code requirement is enforced from the device, that's basically the "gesture" used for Windows Hello (or the fallback in this scenario). As this is considered very sensitive, it triggers the MFA challenge as well. You can disable it via GPOs (not recommended) or you can use an Intune policy that does not require Windows Hello (and thus the MFA challenge): https://docs.microsoft.com/en-us/intune-classic/deploy-use/control-microsoft-passport-settings-on-devices-with-microsoft-intune

    • Marco de Bock's avatar
      Marco de Bock
      Copper Contributor

      Hi Vasil,

       

      Thanks! So my preliminary conclusion was right. The PIN code triggers the MFA requirement. I just did not realize that the PIN code comes from Windows Hello for Business and you pointed me in the right direction.

       

      Apparently, disabling Windows Hello for Business requires Intune, and cannot be done using the Office 365 built-in MDM device policies. When searching for "office 365 disable windows hello" I see a lot of disappointment that you need Intune to disable this behavior when exclusively using Azure AD joined devices. Microsoft requiring clients to spend money to disable a forcefully pushed security feature? Not the way to go I think for Microsoft.

       

      Well, at least now I know and I can advise my client on the options available.

       

      Thanks again,

      Marco

       

       

       

    • Azim null's avatar
      Azim null
      Copper Contributor

      Yes, but if we have it disabled via Intune, it still challenges to create a PIN. I have several customers who do not want to leverage a PIN and have Hello completely disabled and Windows STILL challenges us to create a pin on first login. This flies in the face of the intended config. 

  • Marco de Bock For me, I found the requirements were coming from the Security Defaults on the new Azure Domain. Disabling them removed the "Your admin has required that you set up this account for additional security verification" message during AutoPilot and basically work. Hope this helps someone!

Resources