Login to Windows 10/11 with Microsoft Account through MFA

Question

Login to Windows 10/11 with Microsoft Account through MFA

Luca Chiavarini 71

I would like to set up 2-factor authentication for Windows (10/11) login. How can I do this using the Microsoft account (registered on the device and on Azure) without using third-party software?

The other thing I would like to do is to set it up through Azure AD or Intune (since all the devices in my tenant are registered on Azure AD and Intune, and they log in to Windows with their microsoft account). How could I do it?

Prrudram-MSFT 28,366 Reputation points Microsoft Employee Moderator

2022-12-21T10:44:27.647+00:00

Hi @Luca Chiavarini ,

Please check the response below and let me know if that helps. If there are any further queries, please tag me in your comments.
Givary-MSFT 35,626 Reputation points Microsoft Employee Moderator

2022-12-27T10:45:00.933+00:00

@Luca Chiavarini Reviewed this thread and the conversation, Apologies I had to delete the previous conversation as i found misleading.

As I understand you want to achieve 2-factor authentication for Windows 10/11 login (if I am correct you want to implement password-less strategy) - you can refer to this article which explains how you can transition from passwords to password less strategy while login to the device - Windows' password-less strategy and how Windows Hello for Business implements this strategy.

Refer to this video as well - https://www.youtube.com/watch?v=D9U-5y8dIw0

If my understanding of the issue is incorrect, let me know we can connect offline and discuss further on this.
Luca Chiavarini 71 Reputation points

2022-12-27T12:33:19.507+00:00

I don't want to eliminate password access. In fact, I would like to strengthen it with 2-factor authentication for Windows login! How can I do it using Microsoft/Azure account?
Deleted

This comment has been deleted due to a violation of our Code of Conduct. The comment was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.
Chris Osuji 0 Reputation points

2024-08-05T18:27:43.0066667+00:00

Am looking at solving the same problem, can anyone tell me who they resolved this problem?

@Luca Chiavarini
IT Manager 0 Reputation points

2024-08-05T21:18:32.2566667+00:00

Having spoken to a rep at Microsoft, I can assure you that it cannot be done with MS products alone, and requires 3rd party software.

This is completely illogical, and is seriously substandard.
nettech 171 Reputation points

2024-10-24T10:22:43.23+00:00

would conditional access on hybrid joined servers and enforced nla require mfa ?
Gary Stewart 0 Reputation points

2025-02-01T20:14:08.2766667+00:00

This needs to be a system enforced solution. Using a cloud provider or on a per-user basis is absolutely ridiculous. I know there has to be a local solution to force MFA on every sign on.

I'm literally trying to use my bluetooth / microsoft authenticator device to only allow pin sign on within proximity (dynamic lock is not working at all). It is completely defeating it's own purpose if I can have my phone off and still use a pin to log in to my computer.

4 answers

Your answer

Prrudram-MSFT 28,366 Reputation points Microsoft Employee Moderator

2022-12-21T10:44:27.647+00:00

Hi @Luca Chiavarini ,

Please check the response below and let me know if that helps. If there are any further queries, please tag me in your comments.
Givary-MSFT 35,626 Reputation points Microsoft Employee Moderator

2022-12-27T10:45:00.933+00:00

@Luca Chiavarini Reviewed this thread and the conversation, Apologies I had to delete the previous conversation as i found misleading.

As I understand you want to achieve 2-factor authentication for Windows 10/11 login (if I am correct you want to implement password-less strategy) - you can refer to this article which explains how you can transition from passwords to password less strategy while login to the device - Windows' password-less strategy and how Windows Hello for Business implements this strategy.

Refer to this video as well - https://www.youtube.com/watch?v=D9U-5y8dIw0

If my understanding of the issue is incorrect, let me know we can connect offline and discuss further on this.
Luca Chiavarini 71 Reputation points

2022-12-27T12:33:19.507+00:00

I don't want to eliminate password access. In fact, I would like to strengthen it with 2-factor authentication for Windows login! How can I do it using Microsoft/Azure account?
Deleted

This comment has been deleted due to a violation of our Code of Conduct. The comment was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.
Chris Osuji 0 Reputation points

2024-08-05T18:27:43.0066667+00:00

Am looking at solving the same problem, can anyone tell me who they resolved this problem?

@Luca Chiavarini
IT Manager 0 Reputation points

2024-08-05T21:18:32.2566667+00:00

Having spoken to a rep at Microsoft, I can assure you that it cannot be done with MS products alone, and requires 3rd party software.

This is completely illogical, and is seriously substandard.
nettech 171 Reputation points

2024-10-24T10:22:43.23+00:00

would conditional access on hybrid joined servers and enforced nla require mfa ?
Gary Stewart 0 Reputation points

2025-02-01T20:14:08.2766667+00:00

This needs to be a system enforced solution. Using a cloud provider or on a per-user basis is absolutely ridiculous. I know there has to be a local solution to force MFA on every sign on.

I'm literally trying to use my bluetooth / microsoft authenticator device to only allow pin sign on within proximity (dynamic lock is not working at all). It is completely defeating it's own purpose if I can have my phone off and still use a pin to log in to my computer.

Answer 1

Nagappan Veerappan 651 Microsoft Employee

@Luca Chiavarini - Login locally /Unlock to windows machine is "Single factor" requirement. Hence once password login they would be able to access the desktop.

Also, its depends on what type of infra (hybrid or cloud only)

If it's hybrid users and you want Password + MFA when RDP to the clients. there are few other routes we can take a look if that suits your need. Like NPS extension with Azure MFA. Also, RDS infra with Azure MFA.
https://learn.microsoft.com/azure/active-directory/authentication/howto-mfa-nps-extension-rdg
https://learn.microsoft.com/azure/active-directory/authentication/howto-mfa-nps-extension

Incase, if it is cloud only setup with AADJ + Intune - Best is default WHFB login (PIN or Bio). However if you are still fond of "password" unlock. you can think of enabling "Phone sign-in". user still be able to unlock with password. But any other application access require phone sign-in from authenticator app.

Hope this helps. Please let us know if you have any more details on your infrastructure

Luca Chiavarini 71 Reputation points

2023-02-22T09:45:04.7733333+00:00
I would like a workflow like the following one:

Turn on my PC

On windows initial screen, now, I login only with password/pin. I would need to implement a 2 factor authentication (password+device action) and not only password/pin. On my device, I need to receive an OTP or use Microsoft Authenticator.

How can I do it with Microsoft technologies?
IT Manager 0 Reputation points

2023-05-11T06:24:51.2466667+00:00

I have been on the runaround to get this going as well, and I have had no luck.

My workstations are AD joined, with Azure AD Hybrid syncing etc. - it does not ask for MFA when logging in to Windows.

I was advised to use Windows Hello, but that only works with fingerprints/faces/smartcards.

I think I may have to go with a non-MS solution for this. (perhaps ManageEngine)
Mint 0 Reputation points

2023-05-11T15:45:15.1466667+00:00

Hi, @Luca Chiavarini

I am facing the same problem, did you find any possible solution to this yet?
Craig Minors 10 Reputation points

2023-07-27T12:37:46.26+00:00
Same here... Would something like a Yubikey resolve this issue?

I don't understand by you can't:

Sign in via Windows Hello Pin / Biometric, then prompted for MFA via Microsoft Authenticator Number Matching.

If you provision a device via Intune, after you authenticate as the user, you are prompted for MFA to enroll the device to Microsoft Intune / Azure AD.
Nagappan Veerappan 651 Reputation points Microsoft Employee

2023-08-30T13:59:02.5666667+00:00

As mentioned above comments, WHFB, FIDO2 logins are default multi-factor credentials.

Something you know (PIN) + something you have (TPM chip or FIDO2 key h/w). Hence you don't need to do special MFA again via microsoft authenticator.

However, one time provision this WHFB, FIDO2 you use your MFA to provision those credentials.

Hope this helps.

Thanks

Nagappan
Doug Tom 30 Reputation points

2023-09-15T18:56:31.6433333+00:00

Nagappan. Your reply is exactly why users hate Microsoft and will stay with competitors. The comments show a clear ask for a feature and how the workflow process is desired to work, yet you reply with arcane acronyms and evade answering the question. It doesn't matter what you mentioned above because we are asking for a direct feature where a user logs in with password, which prompts a MFA thru the authenticator app, and then a successful action grants access to the endpoint. I worked with multiple very large companies and all of them use this exact workflow, though now it seems I know why they all used a 3rd party application to make it work this way.

So instead of understanding that there is a clear use case and demand for this feature, your replies patronize us. So how about someone at microsoft makes this feature available so we don't have to go to a third party solution? To be very direct, put in a feature request, or advise if this request is already being worked for release? Or explain to us in normal terms why the MS software developers constrained themselves from having it work this way and don't want to change the code now.
Nagappan Veerappan 651 Reputation points Microsoft Employee

2023-09-15T20:52:27.4+00:00

Hi Doug,

Sorry, Microsoft vision is towards passwordless. Any feature you ask with password is phishable credentials. If you still love password +MFA world. you are more than welcome to use solution available with the third party.

Reason: you might know already. Passwords are not safe and phishing resistant primary credentials would be good path to move forward.

FYI: As a part of Microsoft vision, you would see new preview win11 build where you can remove password totally from the OS.

Hope this helps

Regards

Nagappan V
Yabby 0 Reputation points

2023-09-17T22:20:04.4866667+00:00

Hi Nagappan,

My company is requiring me to do exactly this ! -> Password + MFA code.

Using native windows - without 3rd party software. (No Hello!)

I have an on-prem AD, which I am syncing with Azure (Or whatever you are calling it now).

Please implore your managers to allow us to do this!

Thanks.

I agree completely with Doug Tom (above). It is a no-brainer - Why are you forcing us to go to a 3rd party app - when you have the best knowledge and integration skills to do this properly?
Doug Tom 30 Reputation points

2023-09-18T12:41:24.5766667+00:00

Nagappan,

I appreciate you directly answered the question. It is an acceptable answer (even though I would prefer to use the logon process as requested). I appreciate the direct communication so we can fully understand and make business decisions rather than wonder if it was some sort of bug or feature that is being worked. I ask that all community responses are this direct.
Nagappan Veerappan 651 Reputation points Microsoft Employee

2023-09-18T14:53:52.3533333+00:00

@Yabby

Sorry, I may be repeating here. Microsoft vision is towards Passwordless. Please don't expect feature with password combination.
Does your org like direct Phons sign ins via authenticator app?. This is in preview in new AAD joined machines with "Web Sign in" options. Earlier we allow TAP only credentials. But from this Sep- release "Web Sign in" on AADJ users can use Phone sign in.

Hope this helps

Regards

Nagappan V
Jasen L. Webster 0 Reputation points

2025-02-26T22:15:23.8633333+00:00

I understand Microsoft's vision for passwordless logins. However, that vision has blinders and is missing part of the picture. Not all Windows computers have biometrics (fingerprint scanners/cameras). Windows natively does not require passwordless logins. If people are not able to use a 3rd party solution, then they are left with using traditional password logins without MFA.

The vision should be to have all logins be secure with what you have and what you know by at least using MFA, then steer people towards passwordless, if the technology they own support it.
Craig Minors 0 Reputation points

2025-02-27T09:54:15.4133333+00:00

Can you not use 'Windows Hello' with the pin format? We use a combinate of pins and we're testing Fido2 keys (Yubikey).

Passwordless is 100% the way to go though.
Erez Atia 0 Reputation points

2025-04-10T08:10:31.2566667+00:00

@Nagappan Veerappan though almost 2 years passed since last comment, it appears MS still uses password as the default way to access Windows, while offering other passwordless techniques as optional. So visions aside, allow me, me being a total ignorant of the professional IT and whatever terminology, but a 30 plus years savvy user, offer this as a solution: Let's assume @Doug Tom and @Yabby would agree to use a passwordless method as the first credential authentication, say fingerprint (not all PCs as this functionality, but we assume MS doesn't care). Now we want to add a second line of defense - MFA, Whether it be MS Auth app, Face recognition, PIN (is it not a password method?), etc. In current environment, Can you offer a solution?

Thank you in advance
Keith Corkran 0 Reputation points

2025-04-23T13:06:42.74+00:00

I tend to agree with the folks asking for the option to prompt for MFA "when" password option is selected. That would make you AzureFiles solution less problematic when the Microsoft kerberos system refuses to issue a proper ticket and the MFA requirement is not met due to the single factor of the WHFB token. Its a dozen support calls every time patching touches anything to do with kerberos ticketing.

Answer 2

Deleted

This answer has been deleted due to a violation of our Code of Conduct. The answer was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.

Comments have been turned off. Learn more

Answer 3

nettech 171

if you have 10 or less users duo solution is free, anything over 10 you would sign up for a duo account but this solution would do exactly what the op asked for just with a 3rd party software all computers would need an rdp agent installed and one or more servers would need to have duo proxy installed

Answer 4

Deleted

This answer has been deleted due to a violation of our Code of Conduct. The answer was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.

Comments have been turned off. Learn more

Share via

Login to Windows 10/11 with Microsoft Account through MFA

4 answers

Your answer