Hybrid AD and MFA on windows login..is it possible?

Question

Is it possible to have MFA with hybrid joined system to have MFA at windows login?

I have tried few scenarios but I don't see any sign in attempts in AAD logs.

PC has on-prem AD line of sight, no sign-in detected in Azure
PC is remote and does not have on-prem AD line of sight, locked rebooted, signed out, still no sign in detected in Azure.

What we need to do to have MFA at windows login, or should we look for 3rd party solution if its not possible with AAD?
Management is asking for MFA at login, whether on-prem or remote

Answer 1

That is correct not possible, check and read this detailed information and WHFB is the only solution and I will say from the On-field experience many have moved to using this as it locks down with the biometric on the devices and it is as good as MFA. azure-active-directory-mfa-multi-factor-authentication

Hope this helps and Please don't forget to upvote and Accept as answer if the reply is helpful

If this answer helped you please mark it as "Verified" so other users can reference it.

==
Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

Answer 2

Hi,

I do not think so there is a MFA at the login for Azure, however all MFA are targeted to Applications/resources and none of them target at Windows login via conditional access. Also you can try out Windows Hello for Business as a security measure and passwordless feature.

Third Party products might be there but no idea.

==
Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

Answer 3

Thanks for response @JimmySalian-2011
So if understand correctly, This would not be possible even if device was Azure AD joined and not Hybrid Joined.