Join Log in
Score:1
Sardar Agabejli avatar Server

Azure MFA for Windows 10 PC login

co flag
Sardar Agabejli

Is there a way to use azure MFA (using the Authenticator App) for Windows 10 Desktop logins? The goal is that users, who login on a Domain PC, need to authenticate via the Microsoft Authenticator App for every login on the PC. I know there is a similar question that is two years old. It says that it was not possible at that time. Otherwise there are articles that say it is posible using azure hybrid join. Our Domain environment consists of 50 Domain PCs. We have our AD Users synced to Azure but not the PCs yet. What is the best way to achieve the goal? Is that even possible? Thank you for your help!

1346
0 + 0
Score:2
Jevgenij Martynenko avatar Server
us flag
Jevgenij Martynenko

The solution would depend both on user account type and device type.

Microsoft accounts (personal)

Currently only personal Microsoft accounts (e.g. @outlook.com) are fully supported for passwordless login to Windows 10/11 using Authenticator app.

Azure AD accounts (work or school) on Azure AD joined devices

There is a feature which is called Web sign-in and it allows signing in to Windows using Azure AD account and Authenticator app. Unfortunately it is supported only on Azure AD joined devices, but not on hybrid PCs. Also, it is currently in preview with no clear ETA, so it might not be ready for production yet.

Azure AD account or AD account on hybrid AAD hybrid-joined device or domain device

You can still achieve passwordless login for domain accounts (hybrid or on-prem) using Windows Hello for Business (WHfB) via device PIN, biometrics, smart card or FIDO2 key. Authentication app is not supported for this scenario. Basically, WHfB replaces username and password sign-in to Windows with strong user authentication based on an asymmetric key pair. It gets a bit tricky down from here. E.g. WHfB is NOT the same as Windows Hello, even though it has exact same words in it (I know, right). The deployment might get complicated based on your current environment. More info can be found at official deployment guide

0 + 0
Sardar Agabejli avatar
co flag
Sardar Agabejli
And is it possible to use Windows Hello in combination with the regular domain password? So that the user enters his username and password and additionaly authenticates by biometrics or pin? Do you maybe know if microsoft will enroll Azure MFA for Domain PC login in future?
0
Reply
Jevgenij Martynenko avatar
us flag
Jevgenij Martynenko
I am not aware about MS plans to implement the feature for hybrid-joined PCs. Windows Hello for Business (WHfB) replaces username and password sign-in to Windows with strong user authentication based on an asymmetric key pair. WHfB is available in 3 models: Azure AD cloud, hybrid and on-prem. It gets a bit tricky down from here. E.g. WHfB is NOT the same as Windows Hello. Even though it has exact same words in it (I know, right). You can get detailed info on WHfB deployment here: https://docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-deployment-guide
1
Reply
Jevgenij Martynenko avatar
us flag
Jevgenij Martynenko
Updated my answer with information about using Authenticator app for passwordless logon on AAD joined devices
0
Reply
djdomi avatar
za flag
djdomi
if you really want to have password less maybe a fido key or smartcard login could be a chance
0
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.