Windows Hello in Conditional Access Rule?

Question

Windows Hello in Conditional Access Rule?

CharlesP 56

I'm reading through the documentation on Authentication Strengths within the Conditional Access rules.

https://learn.microsoft.com/en-us/azure/active-directory/authentication/concept-authentication-strengths

I notice they list Windows Hello as one of the authentication methods that meets the Phishing Resistant MFA strength. I'm confused though, because it's still not supported (to my knowledge) to sign into Azure with Windows Hello? So how can this be used as a Conditional Access criteria.

Can someone fill me in?

CharlesP 56 Reputation points

2022-10-31T17:19:00.023+00:00

Some additional information....

From this question on this FAQ page, it sounds like Hello should work to satisfy MFA requirements in Azure.

https://learn.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-faq#how-does-windows-hello-for-business-work-with-azure-ad-registered-devices

However, here's what I experience in my testing. I login into my computer with Windows Hello. I open an incognito window, then navigate to portal.azure.com. I am prompted for my username, which I type in. I then get a pop-up for Windows Hello authentication (a fingerprint, in my case). I successfully use my fingerprint, but am then further prompted with a push notification to my Microsoft Authenticator app. So, it appears that it accepts the Hello authentication, but that it isn't meeting the MFA requirement for whatever reason.

My computer is hybrid AD joined rather than Azure AD joined. I'm not sure if this makes a difference.

2 answers

Your answer

CharlesP 56 Reputation points

2022-10-31T17:19:00.023+00:00

Some additional information....

From this question on this FAQ page, it sounds like Hello should work to satisfy MFA requirements in Azure.

https://learn.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-faq#how-does-windows-hello-for-business-work-with-azure-ad-registered-devices

However, here's what I experience in my testing. I login into my computer with Windows Hello. I open an incognito window, then navigate to portal.azure.com. I am prompted for my username, which I type in. I then get a pop-up for Windows Hello authentication (a fingerprint, in my case). I successfully use my fingerprint, but am then further prompted with a push notification to my Microsoft Authenticator app. So, it appears that it accepts the Hello authentication, but that it isn't meeting the MFA requirement for whatever reason.

My computer is hybrid AD joined rather than Azure AD joined. I'm not sure if this makes a difference.

Answer 1

James Hamil 27,211 Microsoft Employee Moderator

Hi @CharlesP , thanks for your question and detailed information. Correct me if I misunderstand, but I think your confusion relates to the type of authentication that Windows Hello provides. For example, you use Windows Hello in place of a password, so you'll still be prompted for another MFA method. So for your usecase of the fingerprint, that's only being registered as one authentication method. The authenticator app is the other.

To confirm, you're wishing to use Windows Hello as the second method after say, inputting a password?

Please let me know if this explanation makes sense. If so I'll help you configure conditional access.

Best,
James

CharlesP 56 Reputation points

2022-11-02T15:50:08.547+00:00

Thanks for your response.

Right, I was assuming that Windows Hello itself already would fulfil two factors (the something you have--the Win10 device, and something you are or know--PIN or biometric), so I didn't expect that it would prompt for yet another factor when authenticating to O365 or Azure.
Seader, Brian 16 Reputation points

2022-11-23T14:35:34.117+00:00

Exactly my thoughts as well. I'm also having the same kind of confusion on why WHfB can't be used to satisfy those MFA prompts. You have a managed device hybrid joined \ registered, you have the user and the device is assigned to that account, you have biometric or a PIN. What part am I missing? That device, assigned to that user, with verified PIN/BIO. This should work. It doesn't appear that its an option however. Baffling to me.
Seader, Brian 16 Reputation points

2022-11-23T14:44:37.98+00:00

The factors are 'something you know' or 'something you are' and 'something you have'. It is not simply 'password is replaced with WHfB'. WHfB includes the physical (TPM and registered device) and the the something you know/are. This is why its billed to satisfy MFA @ authentication. I'm not sure Charles is confused at all.
Seader, Brian 16 Reputation points

2022-11-28T13:53:51.19+00:00

In our case we use CA with a session timer and MFA requirement for an application. Our experience is once the initial authentication w/ MFA claim (user logged into workstation or app) has gone beyond the session timer, upon attempting authentication to this 1 hour session timed based app, the user is prompted to sign in and complete MFA. This is expected. That a sign-in w/ WHfB does not satisfy the MFA part of that, only the authentication, with the user further being prompted for Authenticator after the WHfB auth, is what is not expected and doesn't make sense. WHfB satifies Auth w/ MFA for sign-in, but not when CA is enforcing the requirement. Why would WHfB not satisfy MFA in this circumstance vs. that it does for most/all others? I think its a failing of CA and WHfB compatibility.
CharlesP 56 Reputation points

2022-11-29T13:51:40.87+00:00

@James Hamil Are you able to chime in to confirm that what @Seader, Brian and I are experiencing is expected behavior, or is there something we are missing?

Thanks

Answer 2

Andreas Keller 0

Hi, I‘m also confused by this. In my case the device is Entra joined & signed in via hello for business.

If CA requires mfa, no prompt for hello, Entra insists on enrollment of Authenticator app.

If CA is set to authentication strength Windows hello, it fails with CA message „you can’t get there from here“ and CA log states the required method was not available …

best regards

Andreas

Share via

Windows Hello in Conditional Access Rule?

2 answers

Your answer