How to enable MFA (via DUO) for AAD joined Windows devices

John Case 20 Reputation points
2023-03-22T14:15:55.5866667+00:00

We are attempting to enable MFA for Windows logins for devices that are AAD joined (not hybrid). Ultimately we would like to use Duo as our MFA provider, and I've followed their instructions for setup located here.

https://duo.com/docs/azure-ca

We have conditional access setup, and it works great when we join a device to AAD, but can't get it to come up when a user logs into a laptop. Is there a specific CA policy that can be used that includes Windows Sign In?

Microsoft Security | Microsoft Entra | Microsoft Entra ID
Windows for business | Windows Client for IT Pros | User experience | Other
0 comments No comments
{count} votes

Accepted answer
  1. Michael Durkan 12,241 Reputation points MVP
    2023-03-22T19:10:45.4533333+00:00

    Hi

    the DUO control you have installed above is more to do with conditional access to applications in the same way as native Azure MFA would work with Authenticator.

    MS does not allow any Azure MFA at the time of Windows login, so you would need a 3rd party tool. From a DUO perspective you could use the RDP/Console MFA offering to make this work:

    https://duo.com/docs/rdp

    You should already be licensed for this with your existing DUO subscription.

    Hope this helps,

    Thanks

    Michael Durkan

    • If the reply was helpful please upvote and/or accept as answer as this helps others in the community with similar questions. Thanks!
    1 person found this answer helpful.

0 additional answers

Sort by: Most helpful

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.