Forum Discussion

AllanWith's avatar
AllanWith
Iron Contributor
Jul 03, 2019

Require MFA for AAD Hybrid joined devices

We are planning a rollout of 2000 new Windows 10 devices to the entire organization on a new domain as part of a merger and accompanying org name change.   We have an onprem environment with DCs th...
Access Management
Azure Active Directory (AAD)
microsoft 365
OECM_Support's avatar
OECM_Support
Copper Contributor

VasilMichev Hey Vasil, we think the security issue is that if the laptop is stolen and the password is compromised, the person automatically get access to all company resources. We understand the technical behind the scenes of a PRT. But if all we want is a second protection other than a password when the laptop is stolen, this does not satisfy it, correct?

fabs73514's avatar
fabs73514
Copper Contributor
Jul 19, 2022

OECM_SupportUsing this logic, you also have the same problem if a smartphone is stolen and the PIN (which is even easier than a strong password) is known. The attacker would then have access to the MFA app and all M365 passwords, which are probably stored in the device's password manager. I would put the likelihood of someone stealing a smartphone and finding out the PIN higher than someone stealing the computer.
The moral of the story: users can lose either a device or its password without being hacked right away. But once they lose both at the same time, there's a real security problem. It would be best to instruct users not to write passwords on a sticker on the device :).

Resources